ActiveX Controls and IEAK
You can use Windows® Internet Explorer® Administration Kit 9 (IEAK 9) to specify which Microsoft® ActiveX® controls can run in a particular zone for your users. For instructions about working with ActiveX controls using IEAK 9, see Configure ActiveX Controls.
There are two main approaches to controlling the use of ActiveX controls:
Scenario 1: Limited Internet use of ActiveX controls
Many organizations make extensive use of ActiveX controls on the local intranet, yet want to limit use of ActiveX controls outside the firewall (that is, in the Internet zone). While local intranet content can be trusted not to attempt malicious use of any controls it uses, these controls are not appropriate for use by Internet webpages. By specifying the set of generic controls the administrator approves for use on the Internet, sites that use controls can still be supported while preventing any inappropriate use of other controls in that zone.
For example, suppose as an administrator you want to limit use of ActiveX controls, yet still want to allow an important Internet site (such as that of a business partner or service provider) to work with ActiveX controls. Visit the site and see what ActiveX controls it uses by noting new entries in your <systemdrive>\Windows\Downloaded Program Files folder. Then, as part of your package, you can enable these ActiveX controls to be run on the site. Attempts by any Internet page to use other controls, such as those intended for the intranet, are blocked.
Scenario 2: Restricted use of ActiveX controls
You can achieve a higher degree of control by listing all the approved ActiveX controls, and then allowing the browser to run only this approved set of controls. The cost of this additional degree of control is the extra effort to enumerate all the controls the administrator wants to allow to be used, so we recommend using this approach when the total set of controls is relatively small.
Assess which controls are approved for use on any site. For zones that contain sites that are allowed to use these controls, use the procedure in Configure ActiveX Controls to specify that the controls are administrator approved. For zones that contain sites that are not allowed to use these controls, select Disable in the Run ActiveX controls and plug-ins area. With this setting, only the specified controls will run on webpages and they will run only in the allowed zones.
For more information about IEAK 9, see Security Considerations.