Trevor Best wrote:
I don't know much about HTAs and DAPs ....
It seems so. Perhaps you could read:
http://msdn.microsoft.com/workshop/a...w.asp#Security
but David is not wrong about IE being insecure.
I agree. IE can be an insecure program with which to browse or interact
with the Internet. But when IE hosts an HTA it's not browsing or
interacting with the Internet. An executable which requires components
of IE is running; this executable (HTA) is no more and no less dangerous
than any other executable.
HTAs can be deployed as packages, over the web or in combination of the
two. Packages are my preferred deployment method. If you read this you
will note that IE does not have to connect to the Internet at all to run
a local HTA.
"The Package Model
In the package deployment model, the installation process for the HTA is
the same as for traditional applications. Files are copied from disk or
over a network, using any installer or self-extracting executable. The
installer places the application in the Program Files directory or in
the directory selected by the user. A link to the HTA is included in the
Start menu. And the application's dependency on Internet Explorer 5 or
greater is registered. This way the user is warned that uninstalling
Internet Explorer will disable that application. Look to tools vendors
for vehicles for packaging and delivering HTAs to your specifications.
Like the Web model, the package model has points in its favor. The user
is prompted only during the initial installation about trusting the
application; thereafter, the application runs as trusted code just as an
..exe does. Also, the installed HTA is always available to users, whether
they are connected to the server or not."
When a web manifestation of an HTA is run, all IE is connecting for is
to download the latest file update.
