Q: What is Microsoft Internet Explorer's cookie filtering feature?

A: Web browsers use cookies to maintain user information between different browsing sessions. Cookies can ensure you don't have to retype your address information each time you go to the same website. They're often used to let a browser remember user credentials and provide single sign-on (SSO). But cookies can also be used maliciously. Websites can leverage cookies to gather information on your browsing or online purchasing habits. This information can then be forwarded unnoticed to a third-party on the Internet that leverages it, for example, for marketing purposes.

Thanks to cookie filtering, Internet Explorer (IE) lets users manage and control the cookies it downloads to its file system cache -- that is, the Temporary Internet Files folder. Even though cookie filtering is a security feature that allows IE users to have a more secure web browsing experience, the filtering and blocking of cookies can also have negative side effects on the usability of certain websites. Some sites can become unusable if they aren't allowed to set cookies. This problem is a good illustration of the classic dilemma of enforcing privacy and security versus enabling usability and access.

To better understand how IE filters cookies and how a user can influence the filtering behavior, you must understand the different cookie types a browser deals with. Browsers have to deal with persistent and session cookies, and first-party and third-party cookies.

  • A session cookie is a cookie that's deleted from the IE cookie cache when IE is closed; a persistent cookie can survive multiple browsing sessions: it's deleted only when the cookie reaches its predefined expiration time or when you explicitly delete it. By the way: To clear all cookies from the IE cookie cache, go to Tools, Internet Options, then click Delete in the Browsing History section on the General tab; on the Delete Browsing History dialog box, select the Cookies option.
  • A first-party cookie is a cookie that's set with the same domain (or subdomain) as the one that appears in your browser's address bar. A first-party cookie is created after you type a website's URL in the browser address bar or open a URL through a bookmark or search link. A third-party cookie, on the other hand, is a cookie that's set with a domain different from the one shown in your browser's address bar. A third-party cookie isn't created by the website you intentionally navigate to, but by a website that's linked to, for example, an advertisement, image, or icon that appears on a webpage.

IE gives you a visible sign if a particular website's cookies are blocked: a small crossed-out eye icon, which appears on the IE status bar at the bottom of the browser window, as Figure 1 shows. Double-clicking the icon brings up the Privacy Report dialog box, which summarizes the actions the browser has taken on cookies. You can bring up the same dialog box using the Safety, Webpage privacy policy menu option under the Tools button.

The blocked cookies icon in IE's status bar
Figure 1: The blocked cookies icon in IE's status bar (Click image for larger view)

Users can express their cookie-filtering preferences in IE based on the cookie type and based on the URL of the website that creates or sets a cookie on the user machine. You set your cookie-filtering preferences from the Privacy tab in IE's Internet Options dialog box, which Figure 2 shows.

The Privacy tab of IE's Internet Options dialog box
Figure 2: The Privacy tab of IE's Internet Options dialog box

The slide bar lets you set the default IE cookie-filtering behavior for cookies that are set by websites that are categorized in the Internet security zone. The cookie-filtering slide bar defaults to the medium level, which means that IE will block third-party cookies and restrict first-party cookies under certain conditions -- for example, if no privacy policy has been defined for a given website.

The IE cookie-filtering settings you set from the Internet Options dialog box apply only to the cookies generated by websites that are classified in the Internet security zone. By default, the IE P3P agent accepts all cookies from websites that are classified in the Local Intranet, Trusted Sites, and Local Machine security zones and blocks all cookies of websites that are classified in the Restricted Sites security zone.

To override the IE default cookie-filtering behavior that's set with the slide bar illustrated in Figure 2 and to, for example, accept or block all third-party cookies, you can use Advanced Privacy Settings, which Figure 3 illustrates.

Setting cookie-handling options on the Advanced Privacy Settings dialog box
Figure 3: Setting cookie-handling options on the Advanced Privacy Settings dialog box

You access these settings by using the Advanced button on the Privacy tab. Note that Advanced Privacy Settings has a prompt option for handling cookies: If you enable this option, IE prompts you with a Privacy Alert each time a cookie is about to be downloaded to your machine. From the Privacy Alert dialog box, which Figure 4 shows, you can allow or block the cookie and view the cookie's properties and content. The latter option can be done by clicking the More Info button, which expands the Privacy Alert dialog box, shown in the right part of Figure 4.

Viewing cookie information on the Privacy Alert dialog box
Figure 4: Viewing cookie information on the Privacy Alert dialog box (Click image for larger view)

I advise you to enable the prompt option, at least for a short time, simply to experience how often websites attempt to write cookies to your machine and to see the cookie properties.

You can also override the default IE cookie filtering by exempting certain web sites. This exception means that you can always allow or block cookies written by certain websites, independent of the default cookie-filtering behavior that you set on the Privacy tab. To set up exceptions, click the Sites button on the Privacy tab to open the Per Site Privacy Actions dialog box. The site exceptions you define here are overridden if the default cookie-filtering behavior (i.e., the one you set by using the slide bar) is set to either Block All Cookies or Accept All Cookies.

In Windows domain environments, administrators can also centrally enforce the IE cookie-filtering behavior on their users' desktops. To do so, use the following Group Policy Object (GPO) setting: User Configuration\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings. You can learn more about managing IT through Group Policy from Darrent Mar-Elia's article "Managing Internet Explorer with Group Policy."