Skip to main content

Stupid Windows Tricks - Trusted Web Sites

This post is in a new category, "Spot the Sarcasm"; guess why.
Windows has a wonderful feature for Internet Explorer users called Trusted sites. Trusted sites are described as "Web sites that you trust not to damage your computer or data." Pretty straightforward, right?

But, as they say, the devil is in the details. Let's say you have a web application that lives at uses a central single-signon service for authentication; let's call that Both and are listed in the Trusted sites zone for Internet Explorer.

If you now attempt to log into via, you get a security warning.


Considering it's Microsoft, I let a little slide. But this rates as one of the stupidest security errors I can think of. Let's break it down.

Both sites listed are on my Trusted sites list, a list I had to manually edit to add the sites. That means I spent time and effort to verify that the sites were trusted, find the zone, and then enter the sites. The warning states "If you don't trust the current Web page, choose No." Why would I ever choose No? Both sites have already been trusted. Both sites are obviously known to me. Why am I even given this dialog box?

Then, let's look at the dialog box. For "security", the focus is defaulted to No, the option I don't want 999,999 out of 1,000,000 times. It's also lacking, for security, a basic of standard dialog boxes: hotkeys. This one? No way. I have to either click Yes or arrow over to Yes. Dismissing the dialog results in.. ? Anyone, anyone? That's right, a 404 error; very intuitive to the average Internet Explorer user.
But let's think about what sites go on a Trusted site list, since Microsoft did not. It's highly likely that sites manually added to that list are put there because I a) trust them and b) go to them a lot. I want them on that list because that security zone is more open, allows more browsing freedom, maybe requires it for functionality (yes, Web apps use pop-ups). Why do I have to confirm every single visit to a "trusted" site, but not to any other random site not listed as a trusted site? Logically, if I don't trust a site, shouldn't I need to verify that I do, in fact, want to go there? (Note to IE team, please, for the love of God, don't implement this hypothetical.)

And, the best part of all? It is not optional for me or my team to use either IE or have our sites listed as Trusted sites. Our division administrators have placed both and in the Trusted sites list and Webapp requires IE for certain administrative functions.

To all our users, Firefox is supported (thank goodness); I would recommend it for you. To Microsoft, please hire more user experience engineers. When you see posts like "Deleting a Shortcut In Windows Vista Takes How Many Steps?" on Gizmodo, you have issues.


  1. So he comments, and then steals your post....Nice! Where are the internet police when you need them. Shouldn't they be hiding in those tubes somewhere?

  2. Thanks for reminding me... I deleted that comment. Damn thieves.


Post a Comment

Popular posts from this blog

RIP Tom Petty

Tom Petty died today, aged 66. I won't claim to be a huge Tom Petty fan, but I've bought an album or two and sang along in the car to one of those songs everyone knows. I'll  stream a lot of his catalog today to remember the songs I've heard once or hundreds of times.

I also owe Petty credit for a singular moment in my life, and one I never expected to last in my mind.

Nearly 20 years ago, I was a fresh-ish faced transplant to Ann Arbor, MI by way of my first "real job" out of college, working for a software company in Dexter. I was renting a house with some other folks who'd also been displaced as a result of a fire at my first apartment. I was the only family member East of Lansing, which made me a contact point for anyone going through Detroit Metro airport.

Which is how my uncle Dean came to spend a few hours with me one evening. At the time, my grandparents (his parents) were wintering in Texas. My grandfather had health problems most of his life and…

Google Inbox: A classic Google product

My work domain (an EDU) recently had Google Inbox enabled so I had a good chance to try it out. My personal email is relatively quiet and, I believe, doesn't provide a good Inbox experience. Work is more active and requires actual management, something I've tossed many a tool at over the years. As part of my work life, I supported the Google Apps for EDU installation here and took a pretty extensive presentation to campus about how to manage large amounts of email.

Inbox is a classic Google product: the distillation of a number of excellent ideas into a set of half-complete features built for a use case most people don't meet. We've seen this in the past in products like ChromeVox, Google's Chrome extension for accessibility. ChromeVox works great on ChromeOS devices, but completely ignores the point that most users of accessibility tech (AT) don't have or want ChromeOS devices and come to services with their AT in tow. ChromeVox also ignores decades of convent…


Evernote, for better or worse, is the best note-taking service for my needs. It works across all my devices/computers/modes. It's fairly easy to get stuff into it. Hell, they even have 2-Factor authentication. The Windows app is a little clunky and my girlfriend and I have never been able to get shared notes to work properly (conflicted note! three times in the same grocery trip!), but what service is perfect? At least they have nice socks.

Everything, in fact, is pretty good as long as you don't screw up. And screw up I did. I'm not very regular about making backups, but I do make them every month or so. Once you figure out how to create a backup, that is.

There's a helpful Export Note option (which turns into Export Notes when you select multiple notes HINT). The export process is essentially opening All Notes, selecting every note, and then choosing Export Notes. Or something like that; Evernote never tells you, you're left to figure it out on your own. The file…