With a recent update to IE (not sure if it was IE7 or earlier), browsing to an XML file without a stylesheet on a local drive now gives a security warning.  The cause of this is the little bit of script generated by the default stylesheet to make the + and - collapsing behavior work.  Of course, for IE to warn it’s users against script that it ships itself seems rather kookoo, let’s hope they fix this oversight soon.

You can "Click here for options…" including allowing the script to run, but honestly that’s just too much work when you just want a quick view of the XML.  At the WSDL 2.0 Interop Event, others were complaining about this behavior too, and wondered how to turn it off globally.  So I got around to looking for a method.

What I found is in the Advanced tab of Internet Options - the "Allow active content to run in files on My Computer" option.  By selecting this option, clicking OK, and then closing all your browser windows, you can open local XML files without the annoying warning.

Of course, this is a pretty lame workaround, because not only allowing IE access to it’s own internal organs, so to speak, this option also has the potential to allow real security violations - such as attacks that might run by tricking the user to download a web page to their local drive and then open it from there - the useful warnings against Active content might be quite valuable.

Let’s hope IE get’s a little smarter about detecting what’s harmful and what’s not.