Hello. Can some please recommend to me what is the best IE setting to restrict illicit ActiveX software and plugins from being installed on machine? I had some issues in the past, so a friend just used IE Customized settings and set all my ActiveX settings to Disable. Now I cant even update Windows and every time I go to AOL Search I get ActiveX warnings.

If anyone could help me out I would appreciate it. Thanks.

These settings are good: http://www.bleepingcomputer.com/forums/topict1628.html

In addition, click into Tools/Internet Options/Privacy Tab/Advanced and 'Block Third Party Cookies'.

Hope this helps!

-{ Quote: "Hello. Can some please recommend to me what is the best IE setting to restrict illicit ActiveX software and plugins from being installed on machine? I had some issues in the past, so a friend just used IE Customized settings and set all my ActiveX settings to Disable. Now I cant even update Windows and every time I go to AOL Search I get ActiveX" }-There are 3 things with IE that can bite you in the behind....and you are experiencing one of them....ActiveX. The other 2 you need to be concerned about are Active script and Java applets....neither of which needs to be enabled unless you Trust the site you are going to. Unfortunately given todays Internet....who thu heck can we trust....which is where you are concerning your deliema :-\

Having said all that....I'll suggest a few things:
1)Use IE only for Windows update until you have achieved a thourough knowledge of IE necessary to surf securely....and consider an alternative browser that's not being exploited regarding ActiveX.

or

2)Follow some of the suggestions presented in the below links concerning tighting down the Internet Zone of IE and how to place sites such as AOL and Microsoft into your Trusted Zone of IE.

These links:

Internet Explorer Privacy & Security Settings (http://www.spywarewarrior.com/uiuc/btw/ie/ie-opts.htm)

Securing the Internet Zone (http://www.spywarewarrior.com/uiuc/btw/ie/ie-opts.htm#security)

http://www.spywarewarrior.com/uiuc/btw/ie/ie-opts.htm#trusted

Brought to by someone who has used IE only for years without fear of being exploited....but has come to the realization that many users definetly need to use another browser....or pull the plug.

Regards,
Bubba

Thanks. I will give it a try.

I noticed that some pages links don show up with the Scriptin options Disabled

In general, I would recommend something similar to the following:.NET Framework-reliant components
Run components not signed with Authenticode Disable
Run components signed with Authenticode Enable
ActiveX controls and plug-ins
Automatic prompting for ActiveX controls Enable (*)
Binary and script behaviors Enable
Download signed ActiveX controls Prompt
Download unsigned ActiveX controls Disable
Initialize and script ActiveX controls not marked as safe Disable
Run ActiveX controls and plug-ins Enable
Script ActiveX controls marked as safe for scripting Enable
Downloads
Automatic prompting for file downloads Enable (*)
File download Enable
Font download Enable
Java VM
Java permissions High safety
Miscellaneous
Access data sources across domains Disable
Allow META REFRESH Enable
Allow scripting of Internet Explorer Webbrowser control Disable
Allow script-initiated windows without size or position co... Disable
Allow web pages to use restricted protocols for active con... Prompt
Display mixed content Prompt
Don't prompt for client certificate selection when no cert... Disable
Drag and drop or copy and paste files Disable
Installation of desktop items Disable
Launching programs and files in an IFRAME Disable
Navigate sub-frames across different domains Disable
Open files based on content, not file extension Enable
Software channel permissions Medium safety
Submit nonencrypted form data Enable
Use Pop-up Blocker Enable
Userdata persistence Enable
Web sites in less privileged web content zone can navigate... Enable
Scripting
Active scripting Enable
Allow paste operations via script Prompt
Scripting of Java applets Enable
User Authentication
Logon Automatic logon only in...Actually, you can play with these all day depending upon just what exactly it is you are trying to achieve and just where your own personal comfort level is with the technology. But the above is probably a pretty good stab at a general config for most people. The two entries marked with the asterisk (*) can be set to "Disable" if you like getting the little yellow alert bar across the top of your browser window as a warm-and-fuzzy, otherwise it basically is just a repetitive alert... you will still be prompted prior to a signed ActiveX control download or with a "Open, Save, Cancel" dialog in the case of a file download.

The key thing is to not allow any ActiveX controls to execute that aren't signed by a vendor you trust. If you don't trust the control or the publisher then simply say no to the download request prompt, and the control won't download and can't execute. However, if you allow it once, then as configured above, it will already be downloaded and will execute in the future without any other prompting. If you are the sole user of your machine, then this is a workable solution and allows you to go to Windows update, to Macromedia for the ActiveX version of Shockwave/Flash, or to an online virus scanning utility (for example), and not be constantly harassed with prompts and warnings.

If, however, you want even more restrictions on ActiveX, or if you are on a shared machine where you cannot guarantee that others using it will know whether to permit or deny any given ActiveX control then you can configure IE slightly differently. In that case, take the above config for the "Internet Zone" and Disable everything in the "ActiveX controls and plug-ins" section. Then, setup your "Trusted Zone" with settings similar to above. Then, add "*.microsoft.com" (or, even, if you are more particular just "*.windowsupdate.microsoft.com") to your Trusted zone. That way only the Microsoft site (or Microsoft Windows Update site) will be allowed to download and execute ActiveX controls. All other sites will be in the default Internet Zone for which you will have disabled the ActiveX control download ability and turned off ActiveX execution.

Thanks. I will give it a shot.

ActiveX settings advice from Kim = http://www.komando.com/tips_show.asp?showID=7837

http://www.markusjansson.net/exp.html#ie

You will have to add sites that you want to allow to use components to the trusted zone like windows update site.


Thanks,

Chris

Whilst I agree with Alec's settings, I have found one strange quirk within XP SP2: If in device manager you right click, click properties of some device, click troubleshoot: this opens the troubleshooter for that device in Help and support, which apparently uses activeX controls which are not marked as safe (even though they are part of XP!). If you have 'Initialize and script activeX controls not marked as safe' set to disable in the IE internet zone, you get a message that the activeX was blocked when running the troubleshooter and it won't work properly. Therefore I have set that to prompt instead of disable; you then get a warning prompt where you can click OK if you are sure of the circumstances.

PS I did first try changing the corresponding setting only for the 'My computer' zone alone (zone 0), but it has to be the internet zone, even though the troubleshooters don't actually connect to the internet.

Thanks for the replies.

Do you all also customize the "Trusted Sites" and "Restricted Sites" in the IE Security or do you leave them on the default?

-{ Quote: "

Do you all also customize the "Trusted Sites" and "Restricted Sites" in the IE Security or do you leave them on the default?" }-
chip,
Go into
Tools-ie options-Security- and click on Restricted sites then Custom level and set the reset custom settings to HIGH - click reset and OK-do the same with
Trusted sites-Local Intranet and Internet.

Then when you visit certain sites you will get a rectangular dialog saying,

Your current security settings prohibit running Active-X controls on this page.
As a result page may not display correctly.

Most sites you just click on the dialog OK button and get on with it as though you didn't even see it.

However if you are intending to D\L from anywhere then B'4 you go you would need to go into Tools-Internet Opts.- Security-Internet -Custom Level and reset the level to MEDIUM then after D\L return and set to HIGH - press reset and OK.
This is a bit of a fiddle but I do it 10 times a day because it's worth it.

Regards.

Thanks again