How to Prevent Web Sites From Obtaining Access to the Contents of Your Windows Clipboard

Internet Explorer includes customizable security settings to help to prevent malicious Web site administrators that script the Microsoft Dynamic HTML (DHTML) Editing Component from obtaining access to your Windows clipboard data. By default, the High security level enables this protection in Internet Explorer 5 and later. By default, Internet Explorer 6 and some versions of Internet Explorer 5 use the High security level for the Restricted sites security zone. By default, Windows Server 2003 uses the High security level for both the Internet and Restricted sites security zones. This article describes how to help to prevent Web sites in the Internet, Local intranet, or Trusted sites zones from obtaining access to your Windows clipboard data by scripting the DHTML Editing Component.

Internet Explorer 5 includes the Microsoft DHTML Editing Component. In Internet Explorer 4, the component is available as a downloadable ActiveX control. Web authors and program developers can use the component to add HTML editing capabilities to their Web sites and programs. The editing component uses the Component Object Model (COM) technology by Microsoft to make editing services available, such as basic HTML formatting, tables, undo or redo, find, and absolute positioning.

To help to prevent Web sites in the Internet, Local intranet, or Trusted sites zones from obtaining access to your Windows clipboard data by scripting the DHTML Editing Component with Internet Explorer 5 or 6, change the appropriate zone security level to High or use a Custom level. To use a Custom level, use the appropriate method for your version of Internet Explorer.

Internet Explorer 5 and 6

1. In Control Panel, click Internet Options.
2. Click the Security tab.
3. Under Select a Web content zone to specify its security settings, click the zone where you want to prevent Web sites from accessing your clipboard.
4. Click Custom Level.
5. In the Scripting section, under Allow paste operations via script, click Prompt or Disable.
6. Click OK.

Note If you turn on the "Allow paste operations via script" feature, you receive the following security alert whenever a Web site tries to access to your Windows clipboard by using the DHTML Editing Component: Administrators can also adjust the default setting for this feature by using Group Policy or the Internet Explorer Administration Kit (IEAK).

Internet Explorer 4

If you have installed the DHTML Editing Component for Internet Explorer 4, you can help to prevent Web sites from viewing your clipboard data by selecting Prompt or Disable for Script ActiveX controls marked safe for scripting in the security settings for the appropriate zone. However, if you turn off this feature, Internet or intranet sites that use ActiveX controls may not work as expected. You can help to prevent Web sites in the Internet, Local intranet, or Trusted sites zones from obtaining access to your Windows clipboard data by scripting the DHTML Editing Component with Internet Explorer 4. To do so, use a Custom level for security:

1. In Control Panel, click Internet Options.
2. Click the Security tab.
3. Under Select a Web content zone to specify its security settings, click the zone where you want to prevent Web sites from accessing your clipboard.
4. Click Custom, and then click Settings.
5. Click Prompt or Disable for Script ActiveX controls marked safe for scripting, and then click OK.