What, if anything, can a WEB APPLICATION do from the SERVER side to delete temporary internet files in the CONTENT.IE5 "hidden" folder? And why don't large online banking sites take such measures?


  • I am having issues with the Internet Explorer behavior of leaving temporary internet files in a hidden folder called "CONTENT.IE5". This happens on versions through IE8. And when I say hidden, I mean truly hidden. This folder doesn't even show up when you deselect "hide protected files and folders" and select "show hidden files and folders" in Folder Settings. In order to see this folder, you need to type it in in the address bar trailing the "Temporary Internet Files\" folder spec. So it appears that Microsoft is making effort to keep this folder hidden and tucked away, but hackers of ill repute, and other people bent on stealing your secure information, know about this. Furthermore, even though the folder is so well hidden, the "Search for Files and Folders" finds and displays files in these CONTENT,IE5 folders and subfolders in result sets, adding yet another security vulnerability. I am looking in Windows XP machines.

    Sure there are many things that you can do with your browser, such as set "delete temporary internet files when browser closes" in Internet Options, but that needs to be done by the CLIENT and you can't control clients. You can control large pockets of clients within a domain using active directory, but you can't control ALL the clients in the "great out there" on a grand scale unless you can control them from your web application itself.

    Absent these client side precautions, any bank statement or other document you might not want others to see, that is generated by a web application running on a server, and handed back to Internet Explorer in a response, leaves it's baggage behind in this folder, including bank statements and other confidential documents.  I find this most prevalent with PDF's and XLS/CSV files (as these are handed off by IE to other programs (such as Adobe Reader and Excel) to display).

    My questions is; what can a WEB APPLICATION do from the SERVER side to not leave temporary internet files in CONTENT.IE5? From what I know about client server relationships, it is virtually impossible for a server to influence the deletion of files on a client after it has handed off the response to the browser. Yet some people in my organization swear up and down that their bank deletes their temporarily internet files. I can’t get my banks to do such a thing. I am a member of four banking institutions and do online business on credit card clearinghouse websites as well. SO IF SUCH PRECAUTIONS are available for a web application running on a secure server to affect the disposition of temporary internet files in this CONTENT.IE5 folder, then why wouldn't the Bank of America for example be employing such measures?

    I have an application that creates PDF's and other format files for display through secure channel (https://) but there is this vulnerability of its droppings left behind in CONTENT.IE5. I am seriously thinking of limiting its use to non-Microsoft browsers (and controlling this through JavaScript code at the entry point).

    And finally on that note; does IE have plans to store off its cache in less readable formats (proprietary cache) such as is done in Mozilla Firefox or Google Chrome? Does IE behave differently in this respect under Vista and Windows 7?

    Sunday, March 13, 2011 6:05 PM