Internet Explorer 7 and Windows Vista Intranet security settings for local integrated Windows security sites

More security is a good thing. At least until it starts to cause you pain and suffering, and then it is easy to either decide that more security is bad or that the software that is providing you better security is bad. But the fact is, more security is a good thing, and you will be better off if you learn how to exist in that more constrained world rather than live free and unprotected. Gosh, that started to sound like a pro-Bushrestriction of freedoms post… lets get back to the tech quick.

The biggest pain points in adopting Windows Vista are usually due to non-existent, incompatible, or poorly written drivers. This is not Microsoft’s fault, but the hardware vendor’s fault. The next one that hits you in the face after you get past your driver pain is the fact that Microsoft is getting smarter and smarter (and more protective of you and your machine) with each new software product they put out. IE7 and Windows Vista definitely fall into this realm.

If your machine is set up as a standalone machine, or as part of a workgroup network (i.e. most home users), there is a subtle little security setting in IE7 that may cause you pain and suffering as a developer as you migrate to IE7 or Windows Vista.

Specifically, you may get prompted for credentials when accessing a local machine virtual directory when you think you have integrated authentication enabled and you shouldn’t be prompted.

To explainwhy this occurs andhow to fix it, lets first quickly recap life as we knew it in Windows XP and Server 2003 prior to IE7.

If you are working with web projects from your local machine, you will likely be creating virtual directories or IIS applications on your local install of IIS.

Turning On Integrated Windows Authentication in IIS

On XP, if you set the security settings for the site with Integrated Windows Security enabled and Anonymous Access disabled (see figure below), then when you browse to that local site from IE on the local machine, Windows automatically negotiates authentication between the browser and IIS and passes your logged in user credentials to the server (which is on the same machine), and you are let into the site or page (assuming your user account has ACL access to the underlying folders/files). In other words – integrated security does its job behind the scenes and you don’t get prompted for credentials, but you are accessing the site with your logged in user credentials.

XP-VDIR-SecuritySettings

On Windows Vista, the security settings on the site are a little different, but basically mean the same thing. The corresponding authentication settings for Vista/IIS7 are shown in the figure below. Specifically, set Anonymous Authentication to Disabled, and Windows Authentication to Enabled.

Vista-VDIR-AuthSettings

IE7 Intranet Security Settings

If you are configured as a workgroup from a network perspective, when you first try to access a localhost web site, you might (or more importantly might not) notice an information bar at the top of IE telling you that Internet security settings are being applied to the Intranet zone by default. It gives you an opportunity to click on the info bar and revert to Intranet settings if you like. If you don’t, after a certain number of prompts (which I don’t know how many there are, it may just be once), it will stop telling you that.

The issue is that IE will set the Intranet zone security to automatically detect the network. However, depending on your connectivity, network setup, and possibly the celestial alignment of Jupiter and Venus, it will not detect that localhost is in fact in the Intranet zone. In a Windows domain this should not be a problem, but standalone it definitely is.

Because it can’t tell that localhost is in fact local intranet, it plays it safe and applies internet zone security to the site. And with the default security settings, automatic authentication through Windows is disabled in the internet zone. Thus the prompt for credentials when you hit your localhost site through the browser.

The Fix

The fix is quite simple… just hard to find unless you are a psychic or know super brilliant people like Chris Kinsman or Kate Gregory.

To get back to behavior like you are used to on your retro XP box, go into IE Internet Options, Security tab. Select the Local Intranet zone, and press the Sites button (see below).

IE7 Security Settings

In the popup (see below), uncheck the “Automatically detect intranet network” box and make sure the three child check boxes are checked. Click OK and you should be back to integrated security as you know and love it.

IE7 Local Intranet Zone Sites settings