In my company the policy is to disallow ActiveX on the internet segment in Internet Explorer. However, we find that lots of the sites that users go to, need ActiveX enabled. So, these sites are entered in the Trusted Zone in IE.
Since we do not use Windows 2K on our servers and don't have ADS, it seems we can't use the Group Policy mechanism to add sites to the trusted zone, our helpdesk has to manually add a site to the trusted zone on a workstation. We have some 2500 PC's... so, there you have our problem.

What's your policy on ActiveX and how do you solve, or advise us to solve, the trusted site issue?

-{ Quote: " quoting: meneer link=board=18;threadid=14185;start=0#msg89625 date=1064394692]Since we do not use Windows 2K on our servers and don't have ADS, it seems we can't use the Group Policy mechanism to add sites to the trusted zone, our helpdesk has to manually add a site to the trusted zone on a workstation. We have some 2500 PC's... so, there you have our problem." }-

Are you saying that people from the help desk go from PC to PC, use the Internet Options, and enter each site manually - or have you packaged the approved trusted site list in some kind of script or program to speed up distribution, even if it still takes a person manually signing on to every PC to execute the script?

If you have no software distribution tools at all with 2500 PCs, you certainly have your hands full. How do you distribute software updates?

At the very least I'd create a .reg file with the approved list of trusted sites, locate it on a central server everyone has read access to, and have the PC's pull that file down daily to get whatever updates have been made to it.

Our helpdesk uses remote control software, but yes, they have to edit the setting manually :'(

Regular software update take place using sms or other release management tools, however, these activex trusts are so frequent, they would overload our change management processes.
I would love to just boycot activex sites, but even security aware company's use it on their sites (at least we are removing all activex components form ours, there you have a small victory :) )

-{ Quote: " quoting: meneer link=board=18;threadid=14185;start=0#msg89765 date=1064474437]Our helpdesk uses remote control software, but yes, they have to edit the setting manually :'( " }-

Well, at the very least, placing the trusted sites into a reg file would make it easier to update on all systems with no chance of errors by typo, etc.

See IE-SpyAd (http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD) as an example of the method I'm talking about. The only difference is you'd set the flags for trusted, not restricted sites.

??? Isn't it possible to do a "scripted rollout" during logon to the network?

I am, by no means, an "expert" on it, but shouldn't that be the solution? 'Would like to hear from an experienced techie on that...
"Your assignment, should you decide to accept it," is to: Do a "scripted rollout" blocking -ActiveX- use in IE, with the exception of certain "Trusted sites" in the Internet Zone? (meneer, yes? no?)

Is this something that could be handled by the IE Administration Kit?

We tried using the administration kit, but due to technical circumstances, this installation failed, so our technicians had to resort to a different solution.

I'm glad to report that there are other problems with our IE6 settings as well, so perhaps we will manage to create a more efficient setup (using the central configuration file).

Still trying to get Mozilla in our organization, but since we are a 'Microsoft shop' little chance :-\ (my own security management archive/intranet site is running on an 'illegal' linux box >:( )

-{ Quote: " quoting: AplusWebMaster link=board=18;threadid=14185;start=0#msg91266 date=1065054740]
??? Isn't it possible to do a "scripted rollout" during logon to the network?

I am, by no means, an "expert" on it, but shouldn't that be the solution? 'Would like to hear from an experienced techie on that...
"Your assignment, should you decide to accept it," is to: Do a "scripted rollout" blocking -ActiveX- use in IE, with the exception of certain "Trusted sites" in the Internet Zone? (meneer, yes? no?)" }- Yes, but there a even better options... central config, group policies (once you're running ADS). One day it will happen... :)