Changes in the ActiveX Installer Service

Article
09/12/2012

Applies To: Windows 7

The ActiveX Installer Service enables IT professionals to manage the deployment of ActiveX controls by using Group Policy on computers in an organization. ActiveX controls are self-registering COM objects that are used to provide a more interactive user experience when using Internet Explorer. ActiveX controls are often distributed in .cab files. By default, standard user accounts do not have permission to install ActiveX controls. The following sections describe the new features in the ActiveX Installer in Windows 7.

ActiveX Installer Service installed by default

The ActiveX Installer Service is now installed by default in all versions of Windows 7. It is enabled and configured so that it can be started when it is requested by Web sites that provide ActiveX controls.

Subdomains can be specified by using wildcard characters

Administrators will now be able to specify policy to allow ActiveX controls to be installed from sites on the Trusted sites list in Internet Explorer. This list supports wildcard characters in the URLs for subdomains. This enables organizations with server farms or multiple trusted domains to be able to allow standard user accounts to install ActiveX controls from any site on the Trusted sites list.

To help ensure that only sites that are trusted from an organizational perspective are allowed to install ActiveX controls, Internet Explorer trusted zones must be configured so that users cannot modify the Trusted sites list and so that the Trusted sites list is populated by using one of the following ways:

Installing from trusted sites is enabled by Group Policy.
Internet Explorer is configured to read the list of trusted sites from the registry key HKLM\Computer Configuration\Administrative Templates\Internet Explorer\Security Zone: Use Only Machine Settings is enabled.
The Site to Zone List Group Policy setting located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page contains the list of trusted sites that are deployed by Group Policy.

Security Note
If you decide to use this feature to allow installation from the trusted sites, the Site to Zone List Group Policy setting must have at least one entry to the trusted sites to prevent standard users from installing arbitrary ActiveX controls. Using subdomains with wildcard characters allows a standard user to install programs and applications from any server in the subdomain that uses wildcard characters, which could include malware and potentially unwanted software. You should make sure that all servers in the subdomain are fully trusted before enabling this feature.

If you decide to use this feature to allow installation from the trusted sites, the Site to Zone List Group Policy setting must have at least one entry to the trusted sites to prevent standard users from installing arbitrary ActiveX controls.

Using subdomains with wildcard characters allows a standard user to install programs and applications from any server in the subdomain that uses wildcard characters, which could include malware and potentially unwanted software. You should make sure that all servers in the subdomain are fully trusted before enabling this feature.

Changes in the ActiveX Installer Service

ActiveX Installer Service installed by default

Subdomains can be specified by using wildcard characters

Additional resources