We have a component that uses a .NET WebBrowser control to display an html button. The button targets blank so that a new browser window will be opened when it is clicked, and the button also contains parameters to be passed to the target web page. One of the parameters is an encrypted value. When UAC is turned on, the encrypted value is not properly transferred to the web page, and therefore it does not work. When UAC is turned off, it works correctly.

The developer has researched this and discovered that it is related to how Internet Security handles cookies when UAC is turned on. She has also come up with a work-around, which is to add the target website to the Trusted Websites list.

So my question is this: Is it acceptable to programmatically add a value to the Trusted Websites list The target website is PayPal, so it is a recognizable website. Also, if it isn¡¯t acceptable, what if we notified the user that we were performing this action so that it was not hidden/covert I do not want our application to get flagged as malware due to this action, but the other work-arounds for this issue are considerably more costly.



Re: Internet Explorer Extension Development Is it ok to programmatically add websites to the Trusted Websites list?

John Sudds - MSFT

Is it possible -- YES, and quite easy to do. Simply use IInternetSecurityManager:: SetZoneMapping or write the key yourself to:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

The following article refers to Enhanced Security Configuration (ESC), but it applies equally to regular zone mappings.

Is it acceptable -- That's a harder question to answer, and certainly one that is open to debate. I have known sites to add their own Trusted Sites during setup without so much as a single notification dialog. Do I feel a little cheated and wary when I eventually find out You bet.

If you pop a notification during setup, users should have the option to deny your request. If this happens, you will need to explain how that choice affects the application's behavior. If you do not offer a choice, and users find a Trusted Site which they don't recognize as one they added personally, they might remove it--in which case your application will break without any explanation at all. Which scenario is more acceptable to you