Section 4: Configure, manage, and troubleshoot Internet Explorer
security settings.(11 Questions)
QUESTION NO: 1
You are a help desk technician for TestKing. All employees use Windows XP
Professional computers connected to the company network. A user named Sandra
calls to reports a problem with browsing the Internet. She says that she cannot use a
search to browse to www.testking.com
To troubleshoot this issue you connect to Sandra's computer using Remote
Assistance. When you try to use the search engine, you receive the following
warning message: "You cannot send HTML forms." You try to use other search
engines but receive the same error message.
Sandra verifies that she is able to use the search engine to browse the company
intranet without problems.
You need to ensure that Sandra can use any search engine to browse the Internet
from her computer. What should you do?
A. Instruct Sandra to click the Search button on the Internet explorer toolbar and then
t ype her search keywords in the form displayed by Internet explorer.
B. Instruct Sandra to use https:// instead of http:// when typing the URLs for the search
engines.
Instruct Sandra to ensure that Internet Explorer displays a lock icon in its status bar
before she submits information in a form on a Web page.
C. On Sandra's computer, open the Security properties for Internet explorer.
Add
www.testking.com to the Trusted Sites list.
Leading the way in IT testing and certification tools,
www.testking.com
Clear the Require server verification for all sites in this zone check box.
D. On Sandra's computer, open the Security properties for Internet explorer.
In the security settings for the Internet zone, select the Submit non-encrypted form data
option.
Answer: C.
Explanation: The Trusted sites zone is intended for sites that we consider absolutely
safe. In our scenario the
www.testking.com should be considered safe, since it is the
URL of the company. The Require server verification for all sites in this zone check
box specifies whether Internet Explorer verifies that the server for a Web site is
secure before connecting to any Web site in this zone. By clearing this option http
traffic would be allowed and https would not be required.
Incorrect Answers:
A: This is a security configuration problem. The user does not need to be instructed how
to perform the search - the procedure is correct.
B: It would be awkward for the users to type https://. It is better to clear the Require
server verification for all sites in this zone check box for the zone
www.treyresearch.com.
This would allow http traffic.
D: This option is the default setting. No encrypted data would be needed to access the site
www.testking.com.
Reference:
Rick Wallace, MCSE (Exam 70-270) Microsoft XP Professional Training Kit, Microsoft
Press, Redmond, 2002, Chapter 13, Lesson 4
QUESTION NO: 2
You are a help desk technician for TestKing. All employees use Windows XP
Professional computers.
A user named Katherine reports that she cannot access the secure intranet Web site
at intranet.testking.com by using Internet explorer. When she types
http://intranet.testking.com into the Internet explorer address bar, an error message
reports that the digital certificate is not from a trusted source.
You confirm that the intranet Web server is using a digital certificate issued by your
company's Enterprise Certificate Authority. The Enterprise Certificate Authority is
located on a server named certificates.testking.com
Leading the way in IT testing and certification tools,
www.testking.com
- 270 -
You need to ensure that Katherine can access the secure intranet Web site without
receiving an error message. What should you do?
A. Ask a network administrator to modify the properties for IIS on intranet.testking.com
and set the SSL port number to 443.
B. Ask your network administrator to create a Certificate Trust List (CTL) that includes
your Enterprise Certificate Authority. On Katherine's computer, open the Certificates
settings for Internet explorer and import the CTL.
C. On Katherine's computer, open the security properties for Internet Explorer. Add
intranet.testking.com to the Trusted Sites list.
D. On Katherine's computer, open the Security properties for Internet Explorer. Open the
Trusted Sites dialog box, and select the Require server verification for all sites in this
zone check box.
E. On Katherine's computer, open Internet Explorer's list of certificates. Import a copy of
the certificate used by the intranet.testking.com server into Katherine's Trusted Publishers
certificates store.
Answer: E.
Explanation: The Internet Explorer Certificate Manager enables you to install and
remove trusted certificates for clients and CAs. Many CAs have their root
certificates already installed in Internet Explorer. You can select any of these
installed certificates as trusted CAs for client authentication, secure e-mail, or other
certificate purposes, such as code signing and time stamping. If a CA does not have
its root certificate in Internet Explorer, you can import it. Each CA's Web site
contains instructions that describe how to obtain the root certificate. To install or
remove clients and CAs from the list of trusted certificates click Internet Options on
the Tools menu, and then click the Content tab. Click Certificates and then click the
Trusted Publishers tab. To add other certificates to the list, click Import. The
Certificate Manager Import Wizard steps you through the process of adding a
certificate.
Incorrect Answers:
A: This is the default setting and so does not need to be changed.
B: You do not need to create a new list. You can add certificates to the existing list.
C: The Trusted sites zone is intended for sites that you consider absolutely safe. For the
most part, IE will accept just about any type of content from such sites, without
considering potential harm. The only exception is that users will be prompted before
downloading unsigned ActiveX controls or ActiveX controls that have not been marked
as safe. We want to avoid this prompting.
D: The Require server verification for all sites in this zone setting specifies whether
Leading the way in IT testing and certification tools,
www.testking.com
- 271 -
Internet Explorer should verify that the server for a Web site is secure before connecting
to any Web site in this zone. This setting does not concern digital certificates.
Reference:
Rick Wallace, MCSE (Exam 70-270) Microsoft XP Professional Training Kit, Microsoft
Press, Redmond, 2002, Chapter 13, Lesson 4
QUESTION NO: 3
You are a help desk technician for TestKing.com. All computers have Windows XP
Professional installed.
A user named Richard reports that he cannot access
www.testking.com, an Internet
Web site, by using Internet explorer. Whenever Richard types
http://www.testking.com into the Internet explorer address bar, he receives the
ActiveX Controls."
Company policy state, that users should download unsigned ActiveX control only
from Internet Web sites that have been approved by the company's information
security department.
To troubleshoot this issue you verify that
www.testking.com is listed as an approved
Web site. On Richard's computer, you also verify that Internet explorer is
configured with the default settings.
You need to ensure that Richard can access
www.testking.com without receiving an
error message. You also want to comply with company properties for Internet
explorer on Richard's computer.
You need to configure Richards's computer. First, you open the Security properties
for Internet Explorer on Richards's computer.
Which two actions should you perform next? (Each correct Answer: presents part
of the solution. Choose two)
A. Add
www.testking.com to the Trusted Sites list.
B. Remove
www.testking.com from the Restricted Sites list.
C. In the Internet zone settings, enable the Allow unsigned ActiveX control option.
D. Open the Local intranet sites dialog box and clear the
Leading the way in IT testing and certification tools,
www.testking.com
- 272 -
Include all network paths check box.
E. Open the Trusted Sites dialog box and clear the Require server verification for all sites
in this zone check box.
F. Open the Intranet Sites dialog box. In Advanced properties, add
www.testking.com to
the list of Web sites.
Answer: A, E.
Explanation: The Trusted sites zone is intended for sites that you consider
absolutely safe. For the most part, Internet Explorer will accept just about any type
of content from such sites, without considering potential harm. The only exception is
that users will be prompted before downloading unsigned ActiveX controls or
ActiveX controls that have not been marked as safe.
The Require server verification for all sites in this zone check box specifies whether
Internet Explorer verifies that the server for a Web site is secure before connecting to any
Web site in this zone. By clearing this option http traffic would be allows and https would
not be required.
Incorrect Answers:
B:
www.testking.com has not been added to the Restricted Sites list. Unsigned drivers are
disabled by default in the Internet zone.
C: Enabling the Allow unsigned ActiveX control option in the Internet zone would
give access to
www.testking.com but it would also allow downloading of unsigned from
any internet site. This would break company policy which only allows downloading of
unsigned drivers from approved sites.
D: This is not a problem with a local intranet site. It is a problem with a public Internet
site.
F: The Intranet zone does not allow unsigned controls by default.
Reference:
Rick Wallace, MCSE (Exam 70-270) Microsoft XP Professional Training Kit, Microsoft
Press, Redmond, 2002, Chapter 13, Lesson 4
QUESTION NO: 4
You are a help desk technician for TestKing.com. Michael and Veronica, users in
your company's marketing department, use Windows XP Professional portable
computers.
Leading the way in IT testing and certification tools,
www.testking.com
- 273 -
Michael and Veronica use a Web-based Internet e-mail service. They connect to the
e-mail service through Internet explorer. Michael reports that he is required to
provide a user name and password each time he accesses the Web site. However,
Veronica is not required to log on each time she accesses the Web site. The Web site
remembers Veronica's user name and password.
You need to configure Michael's computer so that the Web site can remember his
user name and password. How should you configure Internet explorer on Michael's
computer?
A. Set the security level for the Internet zone to medium.
B. Set the privacy configuration for First party cookies to accept.
C. Modify the privacy configuration so that the Always allow session cookies check box
is selected.
D. Modify the security configuration so that the Internet e-mail Web site is included in
the Trusted Sites list.
Answer: B.
Explanation: A cookie is a text file that the Web site places on our hard disk. In this
case, the text file would contain the username and password. First-party cookies are
cookies that are associated with the host domain. Third-party cookies are cookies
from any other domain.
Incorrect Answers:
A: This would affect all the security settings. We only need to change one setting.
C: Session cookies are deleted when the user disconnects from the Web site. We need a
permanent cookie so the information is still there after we disconnect from the website.
D: This will not resolve the problem. The site needs to write a cookie to our hard disk.
Reference:
Rick Wallace, MCSE (Exam 70-270) Microsoft XP Professional Training Kit, Microsoft
Press, Redmond, 2002, Chapter 13, Lesson 4
QUESTION NO: 5
You are the administrator of 20 Windows XP Professional computers at a TestKing
branch office. All computers are members of a Windows 2000 domain. The domain
contains an enterprise certification authority (CA) that is used to issue Web server
certificates to the human resources (HR) department's intranet Web servers.
Leading the way in IT testing and certification tools,
www.testking.com
- 274 -
When users connect to the intranet Web servers at
https://intra.hr.testking.com, the
Security Alert dialog box appears, as shown in the exhibit.
You want to ensure that the users can securely connect to the HR department's
intranet Web servers and that the Security Alert dialog box does not appear. What
should you do?
A. Add *.hr.contoso.com to the list of sites in the Local intranet zone.
B. Add the server certificate for intra.hr.contoso.com to the Trusted Publishers list.
C. Add the enterprise CA root certificate to the Trusted Root Certificate Authorities list.
D. Configure Internet Explorer to enable the Use TLS 1.0 option
Answer: C
Explanation: The clients receive the certificate, but they don't trust the publisher of
the certificate. We should add the certificate of issuing CA, the CA root certificate,
to the Trusted Root Certificate Authorities list.
Incorrect Answers:
A:
Leading the way in IT testing and certification tools,
www.testking.com
- 275 -
Adding the domain to the Local intranet zone, would set the security level for this
Internet domain. It would not, however, remove the Security Alert dialog box. The clients
must be configured to trust the Certificate Authority.
B: First the certifying authority must be trusted. The server for intra.hr.contosos.com is a
Web server, not a Certificate Authority.
D: The clients must be configured to trust the Certificate Authority. This is not achieved
by enabling the Use TLS 1.0 option. TLS 1.0 is communication protocol, and it is not
involved in security.
Reference:
Rick Wallace, MCSE (Exam 70-270) Microsoft XP Professional Training Kit, Microsoft
Press, Redmond, 2002, Chapter 13, Lesson 4
QUESTION NO: 6
You are the administrator of 300 Windows XP Professional computers. All
computers are members of a Windows 2000 domain and are connected to the
company network.
A user named Andrea reports that when she attempts to place an online order at
https://www.testking.com/sales, she receives the dialog box that is shown in the
Security Alert exhibit.
Leading the way in IT testing and certification tools,
www.testking.com
- 276 -
When you connect to
https://www.testking.com/sales from other Windows XP
Professional computers, you do not receive an error message.
You verify that Andrea correctly typed the address of the Web site. The security
certificate that was returned from the Web site to Andrea's computer is shown in
the Certificate exhibit.
Leading the way in IT testing and certification tools,
www.testking.com
- 277 -
You want to ensure that Andrea can securely place an online order at
https://www.testking.com/sales without receiving an error message stating that the
security certificate and the site name do not match. What should you do?
A. Use the Certificate Import Wizard to install the certificate in the certificate store.
B. Configure Internet Explorer to enable the Check for server certificate revocation
option.
Leading the way in IT testing and certification tools,
www.testking.com
- 278 -
C. Configure Internet Explorer to add
www.testking.com to the list of sites in the Trusted
sites zone.
D. Update the Hosts file on Andrea's computer. Use virus-detection software to check for
Trojan horse applications that might have changed the Hosts file.
Answer: B
Explanation: Entrust.net's Certificate Revocation List (CRL) is a list of every Web
server certificate that has been revoked. Revoked Web server certificates are no
longer trusted for a variety of reasons (for example, the private key has been lost or
compromised). Modern browsers will automatically check a CA's CRL to determine
if a Web server certificate is trustworthy. Without such a capability, it is not
possible to maintain a trustworthy networking environment. The first exhibit shows
that the security certificate is from a trusted certifying authority, but that name of
the security certificate is invalid or does not match the name of the site. The second
exhibit shows the Canonical Name (CN) incorrectly is set to warez.cpandl.com
instead of the correct
www.contoso.com. Clearly this certificate should not be
trusted. We should make Internet Explorer to check if certificates already have been
revoked. We must enable the Check for server certificate revocation option.
Incorrect Answers:
A: The second exhibit shows that the exhibit is certificate is not trustworthy. The
Canonical Name, warez.cpandl.com, and the O=Contoso fake site is a clear indication of
this. We should not use this certificate.
C:
trusted.
D: The Hosts file contains host name to IP address mappings. This is not a name
resolution problem. The problem is the fake certificate.
Reference:
Rick Wallace, MCSE (Exam 70-270) Microsoft XP Professional Training Kit, Microsoft
Press, Redmond, 2002, Chapter 13, Lesson 4
What are the benefits of Entrust.net's Web server certificate service?
QUESTION NO: 7
You are the administrator of 20 Windows XP Professional computers. The
computers are members of a Windows 2000 domain and are used by your
company's Web developers.
For testing purposes, the Web developers access the intranet servers by using the IP
addresses. The Web developers report that that can access the company's intranet
Web servers successfully when they use short DNS names such as http://intra and
http://testkinginfo. However, when they attempt to access the intranet servers by
using the corresponding IP addresses, such as
http://10.65.1.2 and
http://10.65.1.7,
they cannot download ActiveX components or execute scripts from the intranet
servers.
There is no firewall between the intranet servers and the Windows XP Professional
computers that are used by the Web developers and the IP addresses of the intranet
servers are in the 10.65.1.0/24 address range.
You want to ensure that the Web developers can download ActiveX components and
execute scripts when they access the intranet servers by using the IP addresses. You
do not want to change the current settings for ActiveX components and scripts for
Internet Explorer security zones.
What should you do?
A. Add the 1.65.10.in-addr.arpa reverse zone to the DNS server on the company network.
B. Add 10.65.1.* to the list of sites in the Local intranet zone.
C. Configure the Internet Explorer LAN connection settings to disable the Bypass proxy
server for local addresses option.
D. Configure the Local intranet zone to disable the Include all local (intranet) sites not
listed in other zones option.
Answer: B
Explanation: A security setting prevents the downloading of ActiveX components
and the execution of scripts when IP addresses are used. We solve this problem by
explicitly adding the Web site to the Local intranet (see below). Local intranet sites
are considered to be trusted and ActiveX components would be download and
scripts would execute.
QUESTION NO: 8
Your workstation is a member of a Windows 2000 domain that contains an
enterprise certification authority (CA). You use your computer mainly to connect to
the Internet.
Six months ago, you paid for online computer support services from a support
company. The support company's Web site is at
https://www.testking.com. Now you
attempt to connect to the Web site again to use the support service. Before the Web
page is displayed, you receive a dialog box. The message in the dialog box asks you
to select a certificate to use when you connect. However the list of certificates that is
shown in the dialog box is empty. You cannot select a certificate and you cannot
connect to the company's Web page.
In Internet Explorer, you open the Internet Options dialog box and check
Certificates. Several personal certificates appear in the Advanced Purposes list.
You want to be able to connect to the support company's Web site at
https://www.testking.com. What should you do?
A. Configure Internet Explorer to enable the Use TLS 1.0 option.
B. Add the server certificate for
www.testking.com to the Trusted Publishers list.
C. Contact the support company to obtain a certificate and add the certificate to the list of
personal certificates.
D. Request a user certificate from the enterprise CA.
E. Change the security settings of the Internet zone to enable the Anonymous logon
option.
Answer: C
Explanation: We need provide a valid certificate to be able to access the support
site. We should ask the support company to provide us with an appropriate
certificate.
Note: Secure Sockets Layer (SSL) uses certificates for authentication.
QUESTION NO: 9
Exhibit:
In your work at TestKing you use a Windows XP Professional portable computer.
When you are traveling, you often dial in to the Internet to connect to TestKing's
network.
TestKing has a policy that prohibits Web sites that do not have a Platform for
Privacy Preferences (P3P) privacy policy from saving cookies on employees'
computers. Web sites that do not have a P3P policy are allowed to save cookies. You
configure Internet Explorer in your computer to comply with TestKing policy.
After you make this configuration change, you receive a Privacy dialog box when
you visit Web sites that do not comply with TestKing policy. The Privacy dialog box
is shown in the exhibit.
However, you notice that these Web sites still welcome you based on personalized
information. The Restricted Web sites list in the privacy reports lists blocked
cookies for these Web sites.
You want to ensure that Web sites that do not comply with TestKing.com's policy
cannot track your access to their Web sites.
What should you do?
A. Change the Privacy setting to High.
B. Change the Advanced Privacy setting to block cookies for first-party and third-party
cookies.
C. Change the Temporary Internet Files setting to check for newer versions of stored
pages every time you start Internet Explorer.
D. Delete existing cookies that you received from the noncompliant Web sites.
Answer: D
Explanation: The web sites are able to welcome you based on personalized
information because their cookies already exist on your computer from previous
visits to the sites. To prevent this, you need to delete your existing cookies.
Incorrect Answers:
A: The Privacy setting will not affect existing cookies. It will only block new cookies.
B: This will block new cookies. It won't affect the existing cookies.
C: This will check for newer versions of cached web pages. It will not affect existing
cookies.
P3P的工作方式为:得到P3P软件的用户可以将他的个人隐私偏好设定在该软件的选项中,软件默认值设定为:当任何网站收集或贩卖个人网上信息的时候,禁止进入该站点或者提醒用户。一旦设定,该软件将同用户的浏览器程序一同运行,每一个受访的站点都会发送某种形式的机器语言提议到用户的电脑中,这个提议包括了网站需要用户提供的个人隐私信息以及对这些信息所做的处理。如果该站点的信息收集行为同用户的P3P中设定的标准相符,则两者之间关于个人隐私信息的协定就可以自动地缔结,而用户亦可毫无阻碍地浏览该站点;但是如果不符,P3P将会用红绿灯的简单方式提醒用户,用户必须迅速地决定是否对自己制定的个人隐私策略作出修改以进入该网站,这通常会以对话框的形式出现,目的是方便用户做出选择。
QUESTION NO: 10
You are a helpdesk technician at TestKing.
A user calls in to report that whenever she visits certain Internet Web sites,
additional Web browser windows open automatically.
The user's computer is installed with Windows XP Professional with Service Pack 2
(SP2) and she uses Microsoft Internet Explorer as her only browser.
You need to prevent additional windows from opening automatically when the user
visits a Web site. You want to accomplish this as quickly as possible and with the
minimum number of changes to the user's computer.
What should you do?
A. Configure Internet Explorer to reject cookies from Web sites.
B. Configure Internet Explorer to block pop-up windows.
C. Configure Windows Firewall to block inbound traffic from TCP port 80.
D. Configure Windows Security Center to not display antivirus and firewall warning.
Answer: B
Explanation: The question states that "A user reports that whenever she visits
certain Internet Web sites, additional Web browser windows open automatically".
These additional web browser windows are known as pop-up windows.
Windows XP service pack new adds some new functionality to Internet Explorer. One of
the new functions is a 'pop-up blocker'. Therefore, to prevent the pop-up windows, we
simply need to enable the pop-up blocker in Internet Explorer.
Incorrect Answers:
A: Blocking cookies will not prevent the pop-up windows.
C: Blocking port 80 will not prevent the pop-up windows. It would just block access to
the http service running on the local computer.
D: The pop-up windows are web browser windows, not security messages from the
Windows Security Center.
block pop-up windows :阻止弹出窗口程序
QUESTION NO: 11
You are the desktop administrator for TestKing. A user reports that she is having
problems with using her new Bluetooth wireless headset with her Bluetooth-enabled
Windows XP Professional computer.
You verify that other Bluetooth devices work correctly with her computer. You
discover that the user's computer is unable to detect the new headset. You follow the
headset manufacturer's directions and ensure that the headset power is turned on
correctly for normal operation.
You need to ensure that the user can use the new headset with her computer. What
should you do?
A. Put the headset in discovery mode.
B. Put the user's computer in discovery mode.
C. Join the computer to a Bluetooth Personal Area Network (PAN).
D. Disable and then re-enable the Bluetooth software on the user's computer.
Answer: B
Explanation: This problem may occur if the discovery option is turned off on a
Windows XP Service Pack 2-based computer that has Bluetooth support. By
default, the discovery option is turned off so that the Windows XP-based computer
cannot be discovered by a Bluetooth-connected device without your knowledge or
consent. To work around this problem, you must turn on the discovery option in
Bluetooth on Windows XP Service Pack 2.
查找模式。指的是AppleTalk协议接口从操作节点获取关于一个连接的网络的信息,并且用所获取到的信息来配置自身的方法。它也被叫作动态配置。
