homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / HTML
Forum Library, Charter, Moderators: incrediBILL

HTML Forum

This 35 message thread spans 2 pages: 35 ( [1] 2 > >     
IE6 SP2 and local "security"
html and media from a CD

 11:18 pm on Oct 26, 2005 (gmt 0)

I'm hoping I don't just go into a rant right now -- my frustration level is pretty high, but I WILL be disciplined.

It's been a few years since I burned website data to a CD for distribution. But when a client requested this, because I'd done it before I had no reason for concern, right? Wrong! -- with SP2 the folks at Microsoft have really monkeyed around with "local security" on the IE browser. I guess the idea is stop malicious programs from running AFTER they get on your machine. It takes two clicks to get past each and every warning.

At any rate, what happens is that you get a security warning any time there javascript -- and that means even an "IE expression" in a CSS file. You also get a warning if you click a link to a local media file, or anything involving ActiveX in any way.

Microsoft has some extensive documentation here:

So my question now is how to burn some promotional CDs with a few hundred HTML files plus assorted media -- without scaring the recipients on every other click. I've uncovered a few answers, but I don't like any of them so far.

1. Tell your users to change their security settings. Right.

2. Tell your users to use a different browser. Right again.

3. Embed a local server on the CD. Well, I assume this will work, but I'm a bit at a loss for a product to use, and out of my depth technically at any rate. And I'm more than a bit ticked off that this solution might be necessary. I'm a marketer, not a true tecchie.

4. Use the "Mark Of The Web" on every HTML document. What is the MOTW, you ask? it's a comment tag placed right after the DTD, and it looks like this:

<!-- saved from url=(0014)about:internet -->

The key here is that the number in parens is the character count of the string (url) that follows it. Really. And it does work for javascript and embedded media, but links to other media types are still a no-go.

5. Put the html web content inside an iframe in a .hta file. OK, but other browsers then have trouble with autorun. And links to MP3 files, for instance, are just dead. And the hta interface doesn't seem to offer what a regular browser interface does -- like a back button.

For now, I'm going with the MOTW solution. I'm putting all the MP3 files into Flash movies and embedding ithose SWF files in a web page...and I think this will work OK for me. But what a huge PITA it has been. Before I learned about the MOTW, I already made a thousand small changes to eliminate javascript -- mostly informational pop-up pages and max-width workarounds...a workaround that only IE needs in the first place.

There, I didn't rant too much now, did I? If anyone has another approach, I'm all ears.



 12:07 pm on Oct 27, 2005 (gmt 0)

I suppose simply avoiding the "problem concepts," like javascript, etc., isn't an option? If not, I'd look into running the local server on the CD like you mentioned. I've never done that myself, but I've heard its easy, and it sounds like less work overall than the "MOTW" solution.


 1:29 pm on Oct 27, 2005 (gmt 0)

It might be possible to put a copy of Opera or Firefox on the CD and arrange for autoplay to open the index page with that browser. It's not pretty, but it might be a viable alternative. Provided all the required DLLs, etc. are present on the CD (in the same directory as the browser .exe file) there is a good chance this will work.



 6:09 am on Oct 29, 2005 (gmt 0)

Thanks for the input, folks. If anyone has details on how to:

1. Run a server from the CD
2. Use autorun to launch a particular html file in the local browser

...then I would be a happy camper.

The MOTW is not that bad a solution, now that I've put all the MP3 files into swf files that I can put into the page. All I need to do is paste it into every html file, just after the DTD. That's pretty easy to do with Homesite. I still have a few media files to treat that way...we'll see. A deadline is rushing up on me.


 8:31 am on Oct 29, 2005 (gmt 0)

To autorun, try this link.
msdn [msdn.microsoft.com]



 1:10 pm on Oct 29, 2005 (gmt 0)

Untested, but this might be what you are looking for:

Server2Go [server2go-web.de] - a free web server on a CD, based on Apache. Includes Perl, PHP and MySQL.


 5:16 pm on Oct 29, 2005 (gmt 0)

What a thread!
I was asked same question as Tedster
Didn't look yet at Encyclo suggestion but being on the PHP, MySQL side I will try that one first

It can even be used to send a pre-beta not loaded yet on a pre-production server to a client.
That will do great since not any client runs a local server


 5:55 pm on Oct 29, 2005 (gmt 0)

Hi Tedster

Have you got a copy of Visual Basic or Delphi? The Webbrowser control (shdocvw.dll) doesn't have these security restrictions and just wraps Internet Explorer. Just create a form, drop the control on and whatever other controls you want (back, forward, refresh, url textbox - they can be hooked in to the relevant webbrowser method with a line of code each). You can even code the default for the home page to be your index html file.

You could knock up a little install program (but I think windows users already have this dll on their machine). Other things it could do is log errors such as Page not found.

I just knocked up a small browser in about 2 minutes to prove it worked. It also solved a little problem I had in testing some complicated javascript without uploading the page to a server, so thanks for the question.


 8:16 pm on Oct 29, 2005 (gmt 0)

Server2go looks pretty good -- thanks. I'm playing with it right now.

It's so frustrating to have gone part way down several different trails. And at present I'm banging into disk space limits on the CD -- looks like a video file may need to go if I embed the server. But at least it all looks doable by deadline.


 9:37 pm on Oct 29, 2005 (gmt 0)

tedster I am interested in that solution.
Glad to see that it might work for you.
Would you please, keep posting your findings

PS) I am not that lazy; just not working under your time constrain :) .




 1:17 am on Nov 5, 2005 (gmt 0)

Putting that small server on the CD is the answer for me -- a slimmed down version of Apache with PHP and MySQL support. Thanks for the tip, encyclo.

My only trouble has been because I know diddly about servers. This is how I learned almost anything I know -- in the heat of battle instead of in the abstract -- so I guess this project is now my entrance into a bit of knowledge about Apache.


 12:14 pm on Nov 5, 2005 (gmt 0)

Re: space constraints, is there any way to precompress the html/css/js using gzip before you store it on the disc? All current browsers will be able to decompress it if he server tells them it's encoded in the header.


 4:24 pm on Nov 5, 2005 (gmt 0)

If the user is always going to be on windows you can use a .hta file, which has different local security (google it!).


 6:35 pm on Nov 5, 2005 (gmt 0)

I suspect that the actual text files (HTML and CSS) are not what make up the bulk of the contents of the CD, so gzip wouldn't be a huge help - the video files would be where the savings could be made, and they can only be compressed so much before the loss of quality is too great.

Dependent on whether the machines where the site will be demoed are reasonably modern, you could also build a data DVD rather than CD - DVD drives are more and more common now that they are pretty much a standard feature on new PCs from Dell, etc. so you could have one slimmed-down CD version and a full DVD version which can hold up to 4GB.


 8:14 pm on Nov 5, 2005 (gmt 0)

I tried an hta file, but the interface bothered me -- no Back Button in the hta GUI, for instance. It also proved problematic cross-browser using autorun to launch an hta, triggering security warnings in non-IE browsers. We know for certain this is not going to be a pure IE audience.

We also discussed the DVD possibility, but for our target audience, we feel we cannot count on a DVD drive, and in the final analysis, this is a marketing piece. Disk space has been OK -- we needed to drop one feature to make everything fit on a CD, but that file was really just a bit of fluff anyway.


 9:38 pm on Nov 5, 2005 (gmt 0)

If cross operating system autoruns are possibly you could write a small app in visual studio and then include the free Mozilla Gecko embedded and activex control.


 7:08 pm on Dec 4, 2005 (gmt 0)

Here's a new thread - related problems with displaying shtml files locally in IE



 11:33 pm on Dec 4, 2005 (gmt 0)

Portable Firefox Live would work. It's 2000/XP-only at the moment, but an update is coming in the near future that will make it work across all versions of Windows and not require a batch file to run (it will all be self-contained in the launcher).


 11:34 pm on Dec 4, 2005 (gmt 0)

Regarding the missing controls in the hta interface, you could build them in html and place them on an index page and load the content into an iframe.


 12:42 am on Dec 5, 2005 (gmt 0)

I never really understood why some people can not live without the back button. If it's a real problem to some people, then why not place a back button on the pages, since the CD will only contain a demo of a website. It can be done in JavaScript, which can't be turned off, code is easily removeable when final site is to be launched.

A really wellstructered website should never IMHO be dependent on a back button. It sort of contradicts the much wanted "suck flow" of a website - as opposed to the "push flow" that might want some people to wish for a back button.


 4:25 am on Dec 5, 2005 (gmt 0)

I never really understood why some people can not live without the back button.

Two browser functions are among the very first that newbies learn -- and that "non-web-tech" people seem to rely on in the extreme. They are"click on the X to close" and "back button". It's my experience that messing with those functions severely limits the audience, and in this case I know the audience is only minimally tech-savvy.

It's just a fact of life that I had to accommodate with this project. But the embedded server is a great solution for this case. And though I am far from being Mr. Server Admin, I had no problems at all -- mostly because the default install pretty much handled everything I needed.


 12:28 pm on Dec 5, 2005 (gmt 0)

I am possibly pushing the limits hard :)

could you simply please, summurize
how you did it


 12:46 pm on Dec 5, 2005 (gmt 0)

even office discussion bar issue this problem
but looks stupid to me. why disable it by "default" and allow it again with tricks.
a hacker/cracker can sure use the trick to enable it by "default"


 5:11 pm on Dec 5, 2005 (gmt 0)

could you simply please, summurize how you did it

Sure. There's next to no support info on the sever2go website -- but that's probably because, once I got into it, it was almost brain-dead simple. Even for a non-server guy like me.

I downloaded the server2go zip file and expanded it into a folder I called "cd". All the CD content goes into the htdocs directory (this mini-server is based on Apache). The unzipped file already contains an autorun file that launches the server itself when the CD is inserted, and then the server launches the default page from the CD.

There's also a config.ini file in the package that is well commented and easy to customize, if the default settings are not exactly to your taste.

Then I just burned the /cd/ folder -- all the server files including my content in tghe htdocs directory -- to a data CD. No trouble at all and it worked the first time.


 5:27 pm on Dec 5, 2005 (gmt 0)

One disadvantage with Server2Go (unless I misunderstand it competely) is that the CD becomes OS-specific (Windows-only). It is not therefore a good proposition if you need cross-platform compatibility.

Is it possible to have the site in the htdocs directory navigable without the server running? Obviously not for a database-driven site, but that means that the source code for the scripted pages is easily accessible, as is the entire database. I'm not sure I would use it for more than a 100% static site.


 5:37 pm on Dec 5, 2005 (gmt 0)

tedster thanks.

I think it would be fairly easy to protect scripts on the CD, Although by all means I am no expert :)

Could you add a MySQL?

For demo a static might do fine
but I would love showing off my self edit capability
included with my builts.


 5:57 pm on Dec 5, 2005 (gmt 0)

One disadvantage with Server2Go (unless I misunderstand it competely) is that the CD becomes OS-specific (Windows-only). It is not therefore a good proposition if you need cross-platform compatibility.

Seems like you misunderstood it. :)

Server2Go can be configured in such a way that the CD actually becomes an OS in itself. Everything runs off the CD.


 11:03 am on Dec 6, 2005 (gmt 0)

Server2Go can be configured in such a way that the CD actually becomes an OS in itself. Everything runs off the CD

I am not sure that is a good idea in this case. Lots of people will have PCs set not to boot off CD.

It seems that the tricky security setting work well for MS in this case - in order to accommadate IE's behaviour, you have to make the CD Windows only.


 12:30 pm on Dec 6, 2005 (gmt 0)

Cross platform and booting from anywhere
does not sound like a problem
If it runs from the CD then it's WITHIN the CD
therefore booting is not an issue
we are not speaking about booting your own machine
but cranking on a very limited space which only operates by sending and receiving input from a browser
so unless I miss the point? ...well that can be true
we'll see!


 4:54 am on Dec 8, 2005 (gmt 0)

Cross platform and booting from anywhere
does not sound like a problem

From the Server2Go website

Using a web browser, a user can run php programs as well as view html files on the CD-ROM. He only need to insert a CD with Server2Go under the supported Windows operations systems.

It is not cross platform.

Although there are ways to produce a cross platform CD, the best you could do is have to have it autostart for Widows, and have alternative executables for whatever other OSes you need.

I do not know whether Tedster needs cross platform, but that was not my point - my point is that MS have pushed him into a Windows only solution.

This 35 message thread spans 2 pages: 35 ( [1] 2 > >
Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / HTML
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved