Managing ActiveX Controls
IEAK 5 introduced a new feature that enables you to specify exactly which ActiveX controls can run in a particular zone. There are two major scenarios within which this feature offers a higher degree of usage control of ActiveX controls and thus a higher degree of security.
Scenario 1: Limited Internet usage of ActiveX controls
Many organizations make extensive use of ActiveX controls on the local intranet, yet want to limit use of ActiveX controls outside the firewall (i.e., in the Internet zone). While local intranet content can be trusted not to attempt malicious use of any controls it uses, these controls are not appropriate for use by Internet Web pages. By specifying the set of generic controls the administrator approves for use on the Internet, sites that use controls can still be supported while preventing any inappropriate use of other controls in that zone.
For example, suppose as administrator you want to limit use of ActiveX controls yet still allow an important Internet site (such as that of a business partner or service provider) to work with ActiveX controls. Visit the site and see what ActiveX controls it uses by noting new entries in the Downloaded Program Files folder of the Windows folder. Carry out the procedure at the end of this topic to specify that the controls are administrator approved.
After this is configured, exactly those controls are permitted to run on the site. Attempts by any Internet page to use other controls such as those intended for the intranet are blocked.
Scenario 2: Restricted use of ActiveX controls
You can achieve a higher degree of control by listing all the approved ActiveX controls, and then allowing the browser to run only this approved set of controls. The cost of this additional degree of control is the extra effort to enumerate all the controls the administrator wants to allow to be used, so this approach is recommended where the total set of controls is relatively small.
Assess which controls are approved for use on any site. For zones that contain sites that are allowed to use these controls, carry out the procedure at the end of this topic to specify that the controls are administrator approved. For zones that contain sites that are not allowed to use these controls, select Disable in the Run ActiveX controls and plug-ins area. Now only the specified controls will run on Web pages and only in the allowed zones.
Choosing the ActiveX controls
Some common ActiveX controls are listed in the Active Control Administrator Approved file, Axaa.adm, which comes with the IEAK. This list is not a recommendation; it simply represents some of the commonly used ActiveX controls from the Web. As an administrator, you should assess which, if any, of these controls are appropriate to use within your organization. You can edit this file and add any new controls you want. By default, no controls are listed as approved. If you want to add more controls after your users install Internet Explorer, you can use automatic configuration.
To specify administrator-level controls
To specify that ActiveX controls must be approved by an administrator and to specify which controls you want to approve, carry out the following steps:
Review the ActiveX control settings in the Axaa.adm file, which is located in the \Policies\<Language> subfolder of the IEAK folder. If you want to add more controls to this list, such as controls that your organization has created, use a text editor to edit the Axaa.adm file.
It is recommended that you make a backup copy of this file in case you want to restore the original settings.
On the Security Settings screen of the Internet Explorer 6 Customization Wizard, click Customize Security Zones settings, and then click Modify Settings.
Select the content zone in which you want to manage ActiveX controls, and then click Custom Level.
In the Run ActiveX controls and plug-ins area, click Administrator approved.
Repeat the last two steps until you have set up all the zones you want.
On the Policies and Restrictions page in Stage 5 of the Internet Explorer 6 Customization Wizard, click the Control Management category to expand its contents, and then select the check boxes for the controls you want to approve.