Skip to main content

Stupid Windows Tricks - Trusted Web Sites

This post is in a new category, "Spot the Sarcasm"; guess why.
Windows has a wonderful feature for Internet Explorer users called Trusted sites. Trusted sites are described as "Web sites that you trust not to damage your computer or data." Pretty straightforward, right?

But, as they say, the devil is in the details. Let's say you have a web application that lives at uses a central single-signon service for authentication; let's call that Both and are listed in the Trusted sites zone for Internet Explorer.

If you now attempt to log into via, you get a security warning.


Considering it's Microsoft, I let a little slide. But this rates as one of the stupidest security errors I can think of. Let's break it down.

Both sites listed are on my Trusted sites list, a list I had to manually edit to add the sites. That means I spent time and effort to verify that the sites were trusted, find the zone, and then enter the sites. The warning states "If you don't trust the current Web page, choose No." Why would I ever choose No? Both sites have already been trusted. Both sites are obviously known to me. Why am I even given this dialog box?

Then, let's look at the dialog box. For "security", the focus is defaulted to No, the option I don't want 999,999 out of 1,000,000 times. It's also lacking, for security, a basic of standard dialog boxes: hotkeys. This one? No way. I have to either click Yes or arrow over to Yes. Dismissing the dialog results in.. ? Anyone, anyone? That's right, a 404 error; very intuitive to the average Internet Explorer user.
But let's think about what sites go on a Trusted site list, since Microsoft did not. It's highly likely that sites manually added to that list are put there because I a) trust them and b) go to them a lot. I want them on that list because that security zone is more open, allows more browsing freedom, maybe requires it for functionality (yes, Web apps use pop-ups). Why do I have to confirm every single visit to a "trusted" site, but not to any other random site not listed as a trusted site? Logically, if I don't trust a site, shouldn't I need to verify that I do, in fact, want to go there? (Note to IE team, please, for the love of God, don't implement this hypothetical.)

And, the best part of all? It is not optional for me or my team to use either IE or have our sites listed as Trusted sites. Our division administrators have placed both and in the Trusted sites list and Webapp requires IE for certain administrative functions.

To all our users, Firefox is supported (thank goodness); I would recommend it for you. To Microsoft, please hire more user experience engineers. When you see posts like "Deleting a Shortcut In Windows Vista Takes How Many Steps?" on Gizmodo, you have issues.


  1. So he comments, and then steals your post....Nice! Where are the internet police when you need them. Shouldn't they be hiding in those tubes somewhere?

  2. Thanks for reminding me... I deleted that comment. Damn thieves.


Post a Comment

Popular posts from this blog

Happy Retirement Pat Sweeny!

In a previous life, I was an active member of the West Michigan Shores Chapter of the STC. I met a lot of really cool people there and learned a lot about what it meant to be not just a technical writer, but more about how technical writers can break out of the mold and accomplish things.

One of the people who did that was Pat Sweeny. Pat is (or was, by this point) the President and owner of The Bishop Company, a contract do-it-all house; they document, streamline and illustrate your process, and they do it damn well. Pat was one of the first people in that chapter to "get it", which is to say, he and his company understand that technical writing isn't going to be a department for very much longer, it's going to be a business.

He had the foresight to actually make it a business, but he also had something else. Pat was forever trying to better those around him. He would come to meetings (which was a big step beyond most people) and teach you things. Or he would come to …

Google Inbox: A classic Google product

My work domain (an EDU) recently had Google Inbox enabled so I had a good chance to try it out. My personal email is relatively quiet and, I believe, doesn't provide a good Inbox experience. Work is more active and requires actual management, something I've tossed many a tool at over the years. As part of my work life, I supported the Google Apps for EDU installation here and took a pretty extensive presentation to campus about how to manage large amounts of email.

Inbox is a classic Google product: the distillation of a number of excellent ideas into a set of half-complete features built for a use case most people don't meet. We've seen this in the past in products like ChromeVox, Google's Chrome extension for accessibility. ChromeVox works great on ChromeOS devices, but completely ignores the point that most users of accessibility tech (AT) don't have or want ChromeOS devices and come to services with their AT in tow. ChromeVox also ignores decades of convent…


Evernote, for better or worse, is the best note-taking service for my needs. It works across all my devices/computers/modes. It's fairly easy to get stuff into it. Hell, they even have 2-Factor authentication. The Windows app is a little clunky and my girlfriend and I have never been able to get shared notes to work properly (conflicted note! three times in the same grocery trip!), but what service is perfect? At least they have nice socks.

Everything, in fact, is pretty good as long as you don't screw up. And screw up I did. I'm not very regular about making backups, but I do make them every month or so. Once you figure out how to create a backup, that is.

There's a helpful Export Note option (which turns into Export Notes when you select multiple notes HINT). The export process is essentially opening All Notes, selecting every note, and then choosing Export Notes. Or something like that; Evernote never tells you, you're left to figure it out on your own. The file…