Configure the "internet explorer processes (restrict file download)" setting.

Back

CONTROL ID
04353

CONTROL TYPE
Configuration

CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control(s):

Configure Internet Browser security options according to organizational standards., CC ID: 02166

There are no implementation support Controls.

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

Files should not automatically run after they have been downloaded from a website. (§ 3.5.42, Australian Government ICT Security Manual (ACSI 33))
This setting prevents nonuser initiated download prompts from being displayed. The Internet Explorer Processes (Restrict File Download) setting should be Enabled. (Pg 88, Microsoft Windows Vista Security Guide Appendix A: Security Group Policy Settings)
The "Internet Explorer Processes (Restrict File Download)" setting should be configured correctly. (oval:gov.nist.fdcc.ie7:def:320, FDCC Windows IE7 SCAP content using OVAL (fdcc-ie7-oval.xml, fdcc-ie7-patches.xml), Version 5.4)
Internet Explorer Processes - Restrict File Download - Local Computer (IEProcesses_RestrictFileDownload_LocalComputer, NIST SCAP Microsoft Internet Explorer Version 7 (fdcc-ie7-xccdf.xml), FDCC IE7 (1.2) SCAP Content - OVAL 5.4)
In certain circumstances, Web sites can initiate file download prompts without interaction from users. This technique can allow Web sites to put unauthorized files on users' hard drives if they click the wrong button and accept the download. (xccdf_gov.nist_rule_IEProcesses_RestrictFileDownload_LocalComputer, oval:gov.nist.USGCB.ie7:def:320, oval:gov.nist.USGCB.ie7:tst:3724, oval:gov.nist.USGCB.ie7:obj:82, oval:gov.nist.USGCB.ie7:ste:3739, USGCB: Guidance for Securing Microsoft Internet Explorer 7, v1.2.3.1)
This setting prevents nonuser initiated download prompts from being displayed. The Internet Explorer Processes (Restrict File Download) setting should be Enabled. (Pg 96, NSA Guide to Security Microsoft Windows XP)