This is yet another attempt to imagine a user interface that lets the user gain the advantages that these pages claim for a capability based system. What concepts must the user entertain and how are they presented? We begin with a graded sequence of expectations that might seem plausible for a user of a conventional system.
We start from the browser interface for that is now suitable common denominator across nearly all systems.
When a user enters an URL or follows a link there is no expectation of privacy. The web server will know and probably count the delivery of the page. There may be a limited degree of anonymity as the web site sees only the IP address of the browser. (There are services that claim to provide anonymous browsing.) This is enough probably for the web-site to discriminate geographically in responding. I wonder if web servers for political candidates present the same face to localities? Browsers generally allow the user some crude control over web sites leaving cookies behind which allow the site to leave notes to itself so that the site will know of a browser what it knew on a previous visit of that browser to that site.
Browser plug-ins and helper applications extend the ramifications of clicking on a link. Presumably the user has wisely chosen what applications and plug-ins are allowed to claim content delivered upon clicking on some link. I think, however, that few users know how to examine or modify the lists of apps or plug-ins. The working assumption seems to be that if an app is installed then it is to be trusted to open any document claiming to be in the app’s format. Just before a web server delivers an MS Word document it announces it as “Content-Type: application/MSWORD”. Neither Safari nor MSIE open such a document automatically. Safari gives the user an preference option to automatically open a certain class of presumably inert files they refer to as safe. MS Word is not safe by that definition.
I use the term “model” here with trepidation for in some contexts it refers to an esoteric academic practice. Nonetheless there is, I think, a fruitful link between these two uses of the term. Most users will have instincts and reflexes that have a connection with the formal models that might be used to prove real security properties of the systems that they rely upon. The qualifications “formal model” and “intuitive model” will serve this distinction.