According to this post, and this one as well, the file shows up when Internet Explorer 7 is installed. This coorelates with the computers that I have available (that is computers with IE7 have the file, and those with IE6 do not), though I have not yet tested this to determine that this is in fact the case.
I haven't spent a lot of time looking at the structure of .evt files generally, but in my experience, they are generally readable with a hexeditor, but this is not so with the internet.evt. The windows event viewer, when opened shows this file as Internet Explorer, but it appears empty. When I turned the log viewer I was coding towards the file, however; it had some interesting artifacts.
Most notably, software installations were logged. Including (I think) software installations that were performed using Firefox. This could be very relevant when investigating intrusions where a web browser is used to download and install tools, but obviously some more testing needs to be done.
I'll post what I find in a follow-up, but to summarize:
I know Internet.evt:
- exists on XP with IE7 installed.
- does not appear to exist with pervious versions of IE.
- resides in the %windir%\system32\config
- is not visable to the windows event viewer in XP home (tested on 1 box).
- is created when IE7 is installed.
- has a file structure that differs from standard event logs.
- also logs internet related software installations from other browsers.
- test suspicions
- figure out what types of data are stored in the file.
- determine what registry entries (if any) are associated with the file.