turning off Javascript

Mayayana wrote:
attribution lines re-added

Vanguard wrote:

echo DISABLE script and meta-refresh support in Internet Explorer ...
reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\In ternet

Settings\Zones\3" /v 1400 /t reg_dword /d 3 /f

It's actually much more complicated than that. IE settings are quite
literally unusable. 1400 is active scripting.

So scripting in the web page does get disabled as intended.

But 1402 is scripting of Java applets

Don't have Java installed. The OP asked about disabling Javascript.

1405 is scripting of AX controls marked as safe.

-extoff doesn't prevent loading of AX controls? Adobe Flash is an AX
control. When I load IE with add-ons disabled, sites that want to use
Flash will bitch that I must install Flash or they simply don't show
their streamed media via Flash.

Settings can exist in up to 8 locations. What you see in Internet
options is HKCU\Software.....Zones\3 --

That's where I change the IE setting via registry. I'm only changing
settings for my account hence editing the HKCU hive, not with me
interferring with settings that other users have set for themselves.

assuming you're setting Internet Zone settings.

Not concerned what my own local pages do (Local security zone). The
only pages there would be mine. I don't steal web content. If I
whitelist a site into the Trusted Zone, then I want scripting there;
else, they wouldn't be a trusted site. Currently I have no sites listed
in the Trusted Sites security zone. The Restricted Site security zone,
by default, has scripting disabled. The only place where scripting is
hazardous is the Internet security zone so that's where I change its
scripting and meta-refresh settings via registry changes.

So the first issue is to make sure neither you nor malware has added
any sites to other zones, because those won't be affected when you
adjust Zones\3.

I've yet to see malware do that (i.e., I've not been hit with such) but
it is possible. I use SpywareBlaster to add its blacklist of sites to
the Restricted Sites security zone.

My .bat to disable scripting is not an anti-malware shield for a
currently infected machine. If you are infected, much of whatever you
do is not guaranteed to neuter malware. You need to keep it out, not
try to manage it after it is in.

There's HKCU and HKLM.

Again, I'm only interested in how I setup *my* security zones. HKCU
(per-user settings) overrides HKLM (initial global settings). I'm
changing the security settings for *my* Windows session, not for
everyone's. If someone else wants to do the same, they can run the .bat
file to affect changes to *their* settings without ****ing up settings
for other users. That's the point of having an HKCU hive (which is a
pseudo hive built from HKLM with overrides from HKU).

I am not disabling scripting in IE for all Windows accounts, just the
one under which I can currently logged under. Also, it is not the
intent of my .bat file to permanently change the settings, only to
change them for a particular session of IE. Unlike NoScript that
distrusts every site (until whitelisted), I use my .bat file when
visiting unknown or untrusted web sites. NoScript distrusts in advance.
I relegate that responsibility to myself. If a site is misbehaving, I
won't bother using my .bat file and instead put them in the Restricted
Sites list assuming I expect to ever revisit that site again.

If Local Machine override is set (by admins or by malware)

Again, I'm not addressing how to undo the effects of malware. That's
for other software to handle. Once malware is in and effecting its
changes then all bets are off. Not even NoScript will protect against
existing malware. NoScript is not a behavioral monitor or HIPS (host
intrusion protection system). It's just a shield on incoming docs.

When I set anything in IE I do it in 8 places just to be thorough.

I'm not in a domain (no pushing of policies). I suspect the same for
the OP. If malware is active, no simple .bat file is going to overcome
the malware changing the registry even if it changed 8 different
registry areas. I'm only changing the settings effected within my
Windows session in my Windows account during a particular IE session,
not in trying to force other Windows accounts to use the same settings.

This is a "for me only" workaround, not a "for everyone" workaround, and
a .bat file is not going to thwart malware. If the host is connecting
to a PDC then a whole bunch of problems arise, like whether you have
admin privileges (for that workstation in the domain) to even edit the
registry. While I'm in the QA group and IT gave me admin privs for my
domain login so I can edit the registry (and how I override their screen
saver setup with their permission), the typical scenario in a domain
config is workstations do NOT have admin privs when logged into the
domain account. The employees also do not get the login credentials for
a local admin Windows account. So all the registry hacks to disable
scripting in IE won't work because those domain users can't modify the
registry.

Beyond the convoluted security settings mess there are different
settings for privacy and cookies. Then there are BHOs, which can
control IE. And Browser Extensions. Any of those can completely
control what you see and do in IE. I once wrote an Explorer Bar for
folder windows.

Does it load if -extoff is added to the command line to load IE?

I also wrote a mime filter, for use as a security filter. It gets
total control over the webpage *before* IE even sees it.

How would that not also affect other web browsers? MIME types are
registry definitions of what handler to which the web browser passes
control. That would seem to affect all web browsers.

I had use WinPatrol in the past and it checked for changes in MIME types
(changed MIME handler, added or deleted MIME handler). Alas, that
product was too flaky even in its latest version. It would not issue
the alerts until it had been exited and then reloaded. I was using the
free version which does not have an on-access (real-time) scanner, so
maybe the payware version with monitor works better.

It's not difficult. Any software on your system could be doing that,
fiddling with the pages you see or recording what you do. No similar
options exist for Firefox, as far as I know, because FF is
independent software.

I think that is what the Greasemonkey add-on is used for. It modifies
the document before the web browser gets to render it.

IE is vulnerable by design. Microsoft has designed the
shell,

I did not intend nor will now bother in getting into a debate about how
bad is IE or how much better are other web browsers. That's not what
the OP asked about. That's like asking parents whose kids are more cute
but the arguing participants don't really care about the other kids.

Jo-Anne wrote:
On 9/14/2015 8:26 AM, Mayayana wrote:
snip

The list of problems goes on and on. IE is a spectacularly
useful and powerful tool on the Desktop. I use it a lot
to make utility software as HTAs. As you well know,
scripters use it a lot to provide hacks that extend the
powers of script. *I love IE!* But all of that power --
all of that deep tie-in to the Windows system -- is also
what makes IE absolutely unfit for online use, no matter
what one does with the settings.



Thank you, Mayayana. I'm going to try NOT to use IE at all.


With regard to some of the IE security settings mentioned,
note that even Firefox will use some of the IE security settings.

So it's not like you can afford to entirely ignore that
security interface. There may be occasions where something
happens on one of your other browsers, that you will eventually
track down has something to do with IE security.

And that's because the Firefox people didn't want to have
to reproduce their own set of security preferences, instead
looking to the IE ones to be the user indication of
"system wide" behavior.

Paul

On Mon, 14 Sep 2015 14:09:14 +0200, "s|b" wrote:

On Mon, 14 Sep 2015 06:38:08 +0200, Steve Hayes wrote:

And there's no reason even to have Java installed any more. I don't
mean in IE, I mean on your computer.

Unless you want to use LibreOffice.

LO runs just fine without Java. (At least, for the things I use it for.)

Base doesn't.


--
Steve Hayes from Tshwane, South Africa
Web: http://www.khanya.org.za/stevesig.htm
Blog: http://khanya.wordpress.com
E-mail - see web page, or parse: shayes at dunelm full stop org full stop uk

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

| -extoff doesn't prevent loading of AX controls? Adobe Flash is an AX
| control. When I load IE with add-ons disabled, sites that want to use
| Flash will bitch that I must install Flash or they simply don't show
| their streamed media via Flash.
|
That makes sense, but most AX are not add-ons.

| Settings can exist in up to 8 locations. What you see in Internet
| options is HKCU\Software.....Zones\3 --
|
| That's where I change the IE setting via registry. I'm only changing
| settings for my account hence editing the HKCU hive, not with me
| interferring with settings that other users have set for themselves.
|

But as I explained below, your settings can be
overriden in a number of ways and you won't see
it in Internet Options. It doesn't have to be malware
doing it. IT people do it. Software could do it. I
imagine AOL probably did it in the old days when
the AOL browser was an IE wrapper.
If you're sharing your computer I guess you have
no choice but to stick with your personal settings.
I expect most people here have their own computer,
so it makes sense to keep track of HKLM.

In any case, I already detailed the issues. I know
that you know a lot about this and your rationales
make sense to me, at least up to a point. My overarching
point in detailing all those issues was simply to show
how absurdly unrealistic it is to *really* control how
IE works. If one has to use it then....that's that.
Otherwise, there's no reason to think of it as a
serviceable browser for online use. It simply isn't.

On 9/14/2015 12:52 PM, Beauregard T. Shagnasty wrote:
Jo-Anne wrote:

If I install PrefBar, will I need to uninstall NoScript?

No.

PrefBar gives you a toolbar with a (customizable) set of checkboxes that
allows you to control/enable or disable certain things. JavaScript,
colors, images, weird fonts, and more. It's very useful and I've had it
installed for many years.

http://prefbar.tuxfamily.org/


Thank you! I just installed it.

--
Jo-Anne

| With regard to some of the IE security settings mentioned,
| note that even Firefox will use some of the IE security settings.
|
Do you know what those are? I thought it was only
related to Local Machine Lockdown. I just started
up FF with regmon running and I don't see any
security settings being scanned.

On Mon, 14 Sep 2015 20:50:48 +0200, Steve Hayes wrote:

LO runs just fine without Java. (At least, for the things I use it for.)

Base doesn't.

That explains then; I don't use Base. Mostly Writer and Calc.

--
s|b

On Mon, 14 Sep 2015 13:02:11 +0000, Stormin' Norman wrote:

I did the other way around.
I uninstalled Java and waited for a program to tell it needed Java.

+1

+2

--
s|b

Mayayana wrote:
| With regard to some of the IE security settings mentioned,
| note that even Firefox will use some of the IE security settings.
|
Do you know what those are? I thought it was only
related to Local Machine Lockdown. I just started
up FF with regmon running and I don't see any
security settings being scanned.



There was some discussion about this a few years back,
and I didn't spend any time investigating what they did.

Here's an example.

https://support.mozilla.org/en-US/kb...ty-zone-policy

"This happens because Firefox honors your Windows security settings for
downloading applications and other potentially unsafe files from the
Internet.

You can reset your system Internet security settings in
Internet Explorer. See "How to reset Internet Explorer settings"
at Microsoft Support for instructions."

So that isn't all that much of an imported setting.

Paul

On Mon, 14 Sep 2015 00:05:47 -0500, Paul in Houston TX wrote:

Stan Brown wrote:
And there's no reason even to have Java installed any more. I don't
mean in IE, I mean on your computer.

http://www.howtogeek.com/122934/java...wful-its-time-
to-disable-it-and-heres-how/?PageSpeed=noscript

Unless you work remotely and have to VPN to the office.

I do, and I don't need Java. My company uses SonicWall's VPN
software.

--
Stan Brown, Oak Road Systems, Tompkins County, New York, USA
http://BrownMath.com/
http://OakRoadSystems.com/
Shikata ga nai...

On Mon, 14 Sep 2015 14:43:51 +0200, FredW wrote:
On Mon, 14 Sep 2015 08:35:31 -0400, "Mayayana"
wrote:
Anyone who has Java and decides to remove
it might do well to look first at why they installed
it in the first place. It could still be in use.


There are always exceptions to the rule, but that proves nothing.
Who knows exactly what software on his/her PC uses Java or not?

I did the other way around.
I uninstalled Java and waited for a program to tell it needed Java.
After over a year I am still waiting.

Well said! I did the same, and with the same result.

--
Stan Brown, Oak Road Systems, Tompkins County, New York, USA
http://BrownMath.com/
http://OakRoadSystems.com/
Shikata ga nai...

On Sun, 13 Sep 2015 11:20:30 -0500, Johnny wrote:

On Sun, 13 Sep 2015 11:14:05 -0500
Jo-Anne wrote:

Given what I've been reading about Javascript, I suspect it's
worthwhile to keep it turned off most of the time. Is there a
particular add-on in Firefox that works well? I found
JustDisableStuff but wondered if that's the best approach. And what
about in Internet Explorer? I mostly don't use that browser; but when
I can't print part of a webpage in Firefox (which has very poor
printing capability), I print from IE.


Try NoScript.

NoScript has stopped working, and Firefox will not allow me to install
it.

Has anyone else had this problem recently?


--
Steve Hayes from Tshwane, South Africa
Web: http://www.khanya.org.za/stevesig.htm
Blog: http://khanya.wordpress.com
E-mail - see web page, or parse: shayes at dunelm full stop org full stop uk

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

Steve Hayes wrote:

NoScript has stopped working, and Firefox will not allow me to install
it.

Don't know what "not allow me to install" means. One guess is that
Firefox is complaining the extension is not signed.

https://wiki.mozilla.org/Addons/Extension_Signing
http://www.ghacks.net/2015/04/26/moz...g-has-started/

Did you download the latest version of NoScript (instead of using
locally saved copy of the .xpi file) to ensure you are trying to install
a signed version of NoScript?

Did you try enabling the extension (if disabled), uninstalling it, and
then installing a recently downloaded newest version?

What happens if you go to about:addons, select Extensions, right-click
on NoScript, and select "Find updates"? Is NoScript enabled?

On Mon, 21 Sep 2015 06:12:51 -0500, VanguardLH wrote:

Steve Hayes wrote:

NoScript has stopped working, and Firefox will not allow me to install
it.

Don't know what "not allow me to install" means. One guess is that
Firefox is complaining the extension is not signed.

https://wiki.mozilla.org/Addons/Extension_Signing
http://www.ghacks.net/2015/04/26/moz...g-has-started/

Did you download the latest version of NoScript (instead of using
locally saved copy of the .xpi file) to ensure you are trying to install
a signed version of NoScript?

I went to noscript.net and clicked on the install button.

Got the message "Firefox prevented this site from asking you to
install software on on your computer."

I'm using Firefox 41.0

If I click on Add-ons it tels me that NoScript is incompatible with
Firefox 41.0 and shows it as disabled.








Did you try enabling the extension (if disabled), uninstalling it, and
then installing a recently downloaded newest version?

What happens if you go to about:addons, select Extensions, right-click
on NoScript, and select "Find updates"? Is NoScript enabled?

--
Steve Hayes from Tshwane, South Africa
Web: http://www.khanya.org.za/stevesig.htm
Blog: http://khanya.wordpress.com
E-mail - see web page, or parse: shayes at dunelm full stop org full stop uk

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

On 9/13/2015 9:14 AM, Jo-Anne wrote:
Given what I've been reading about Javascript, I suspect it's worthwhile
to keep it turned off most of the time. Is there a particular add-on in
Firefox that works well? I found JustDisableStuff but wondered if that's
the best approach. And what about in Internet Explorer? I mostly don't
use that browser; but when I can't print part of a webpage in Firefox
(which has very poor printing capability), I print from IE.


Note that at least two of the 17 extensions I have installed for my
browser require JavaScript to be enabled.

--
David E. Ross

Why do we tolerate political leaders who
spend more time belittling hungry children
than they do trying to fix the problem of
hunger? http://mazon.org/