Works fine here must still be that URL hint interfering. I posted a more detailed tree in an earlier post on SP2 if you don't want to run a search for that registry key. Another thing the URL hint doesn't work with is the Add-Ons which load in the extra component for SOAP (IIRC)--google and dictionarypop. Nasty errors on every load.> Works fine here. Did you modify yours to have that URL hint in the > search.htm?
Yep.
> This > isn't as good as the zone it evidently gets put into when you > don't have > that in there and only set the FEATURE_LOCALMACHINE_LOCKDOWN registry > value for explorer.exe to 0. Try taking it out and restarting it.
I didn't know about that one, I'll try once I get a chance.
I see now I forgot to mention what the problem was; when I type "amaz ?" to get help, the help popup is rendered inside the toolbar - do you get that too, or does it float up nicely the way it used to?
Nah, it would feel bad to have the installer lower the user's security lockdown. Maybe we could build a separate little script to do it, and document it clearly, so people know what they're getting themselves into...? Of course, the best thing would be if DQSD just ran under the new ramifications, but I have a feeling that's going to be very hard to pull through.
Agreed.
The hackish disable-protection way isn't really good. Of our other three options:
*If your local HTML content currently runs inside of Internet Explorer and experiences problems due to this mitigation, you could save your content as an HTA (HTML application) file and try to execute the file again in the Local Machine zone. HTAs are hosted in a different process and therefore are not impacted by the mitigation. However, HTAs run with full privileges so they can be dangerous. Caution should be taken when allowing untrusted code to run in this manner.
*In scenarios where HTML documents are downloaded from the web, you can add a "mark of the Web" comment placed in the HTML file to their Web pages. For example, you might add *<!-- saved from url=(0023)http://www.contoso.com/ -->* to a Web page, where the (0023) value is the string length of your URL that follows it and Contoso is the name of your Web site. When Internet Explorer loads the file, it looks for a "saved from URL" comment, then reads the URL and uses the zone settings on the computer to determine what security policy to apply to the Web page. This Internet Explorer feature allows the HTML files to be forced into a zone other than the local zone, so that they can be assigned to the Internet zone and, with those reduced security privileges, run the script or ActiveX code.
*An alternative is to create a separate application that hosts the HTML content Internet Explorer Web Object Control (WebOC). The HTML is then no longer bound by the same rules that apply to content run in Internet Explorer. When the HTML content runs in that other process, it can have full rights as defined by the developer or zone policy for that process.
The middle one has issues. Some of which might be workaround-able in the code (browser border issue, loading add-ons, more?) No idea about the HTA or the web control. Will explorer load HTAs as Toolbars? I fumbled around a little in the registry replacing search.htm with search.hta without any luck. How do you get in and add a page as a toolbar?
Oh and we might want to roll back the CVS changes for the mark of the web thing from May 20 until we get things working at least.
Thad
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
DQSD-Devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/dqsd-devel
