In a previous page is a discussion of the advantages of a customized privacy file and instructions on how to install it. Here we will examine the structure and the elements contained in this type of file and how to construct one. It is then a simple matter for anyone interested to create a file tailored to their particular pattern of usage.

Basic structure and ideas contained in a privacy file

The structure of a privacy file uses the format of Extensible Markup Language (XML) and will be familiar to anyone who has seen an XML file before. It also has many similarities with the very familiar HTML. The ideas are sufficiently simple, however, that anyone can easily grasp the the way a customized privacy file can be constructed without any knowledge of XML. The Microsoft description is rather technical; it includes discussions of topics such as tokens that will probably be used only by the most dedicated privacy buffs. I will try to provide a description here aimed at average PC users.

I will describe the building up of a file in several stages. To begin, we need to put in the lines that will be the first two and last two lines in the file. This is the way to tell the system what kind of file it is and where it begins and ends. The first line is the element <MSIEPrivacy>. The last line is the element </MSIEPrivacy>. Note how brackets are used. The second line is <MSIEPrivacySettings formatVersion="6"> and the next-to-last line is </MSIEPrivacySettings>. Next we add lines that say that this is for cookie policy and specify which particular Internet Explorer security zone ("internet", "trustedSites") this policy applies to. For the Internet zone these two new lines read <p3pCookiePolicy zone="internet"> (third line in the file) and </p3pCookiePolicy> (third from last line). The table below will help keep track of the construction process.

Next, we establish actions for three types of cookie, first-party, third-party, and session. (Go here for a discussion of the different types.) There are five possible actions for first-party and third-party cookies but I will limit the discussion to the three actions "accept", "reject", and "forceSession". ("Prompt" is another possible action but that quickly becomes very tiresome.) The meaning of the first two actions is self-explanatory. The last action converts persistent cookies into session cookies and it is this capability that attracts me most to the use of a privacy file. Allowing session cookies themselves is governed by the entries "yes" or "no". The policies that I personally prefer are:

Force first-party cookies into session cookies. Allow session cookies.

This action prevents first-party cookies from being permanently downloaded but accepts them into temporary memory for as long as the browser is open. The entry in the privacy file is the line <firstParty noPolicyDefault="forceSession" noRuleDefault="forceSession" alwaysAllowSession="yes">. There must also be a closing line </firstParty>. If it is desired to allow first-party cookies to be downloaded to the hard drive, replace "forceSession" with "accept". To block completely, use "reject".

Block third-party cookies

Blocking is done with the file entry <thirdParty noPolicyDefault="reject" noRuleDefault="reject" alwaysAllowSession="no">. There must also be a closing line </thirdParty>. Some may prefer to accept third-party cookies but force them into session cookies. In that case, replace "reject" with "forceSession" and "no" with "yes"

The next table shows a file with all the entries that we have discussed so far. This version probably provides all the functions many average PC users need and its use is discussed on another page.

More possible elements for a privacy file

For more advanced use, there are functions in addition to what has been discussed so far. For example,the security zone "Trusted Sites" can be added to a privacy file. One caveat is that, under some circumstances, the presence of a zone other than the Internet may mean that a Registry edit is required if you wish to revert to the default settings.

Besides the section p3pCookiePolicy governing cookie policy for security zones, the MSIEPrivacySettings element can have three other sections or "children". Discussion is here. One that might be of interest is the element < flushCookies/>. This single entry will cause all existing cookies to be deleted when the file is imported.

In addition to cookie policy for general security zones. it is possible to have a section on managing cookies for specific Web sites. This section begins with <MSIESiteRules formatVersion="6"> and ends with </MSIESiteRules>. More details are at this Microsoft site.

The table below shows a schematic of a privacy file with some of these additional elements. An extensive discussion of privacy files is available at this site.