Best IE settings to restrict ActiveX?

Hello. Can some please recommend to me what is the best IE setting to restrict illicit ActiveX software and plugins from being installed on machine? I had some issues in the past, so a friend just used IE Customized settings and set all my ActiveX settings to Disable. Now I cant even update Windows and every time I go to AOL Search I get ActiveX warnings.

If anyone could help me out I would appreciate it. Thanks.

 

These settings are good: http://www.bleepingcomputer.com/forums/topict1628.html

In addition, click into Tools/Internet Options/Privacy Tab/Advanced and 'Block Third Party Cookies'.

Hope this helps!

 

There are 3 things with IE that can bite you in the behind....and you are experiencing one of them....ActiveX. The other 2 you need to be concerned about are Active script and Java applets....neither of which needs to be enabled unless you Trust the site you are going to. Unfortunately given todays Internet....who thu heck can we trust....which is where you are concerning your deliema

Having said all that....I'll suggest a few things:
1)Use IE only for Windows update until you have achieved a thourough knowledge of IE necessary to surf securely....and consider an alternative browser that's not being exploited regarding ActiveX.

or

2)Follow some of the suggestions presented in the below links concerning tighting down the Internet Zone of IE and how to place sites such as AOL and Microsoft into your Trusted Zone of IE.

These links:

Internet Explorer Privacy & Security Settings

Securing the Internet Zone

http://www.spywarewarrior.com/uiuc/btw/ie/ie-opts.htm#trusted

Brought to by someone who has used IE only for years without fear of being exploited....but has come to the realization that many users definetly need to use another browser....or pull the plug.

Regards,
Bubba

 

Thanks. I will give it a try.

I noticed that some pages links don show up with the Scriptin options Disabled

 

In general, I would recommend something similar to the following:

Code:

.NET Framework-reliant components
  Run components not signed with Authenticode                    Disable
  Run components signed with Authenticode                        Enable
ActiveX controls and plug-ins
  Automatic prompting for ActiveX controls                       Enable (*)
  Binary and script behaviors                                    Enable
  Download signed ActiveX controls                               Prompt
  Download unsigned ActiveX controls                             Disable
  Initialize and script ActiveX controls not marked as safe      Disable
  Run ActiveX controls and plug-ins                              Enable
  Script ActiveX controls marked as safe for scripting           Enable
Downloads
  Automatic prompting for file downloads                         Enable (*)
  File download                                                  Enable
  Font download                                                  Enable
Java VM
  Java permissions                                               High safety
Miscellaneous
  Access data sources across domains                             Disable
  Allow META REFRESH                                             Enable
  Allow scripting of Internet Explorer Webbrowser control        Disable
  Allow script-initiated windows without size or position co...  Disable
  Allow web pages to use restricted protocols for active con...  Prompt
  Display mixed content                                          Prompt
  Don't prompt for client certificate selection when no cert...  Disable
  Drag and drop or copy and paste files                          Disable
  Installation of desktop items                                  Disable
  Launching programs and files in an IFRAME                      Disable
  Navigate sub-frames across different domains                   Disable
  Open files based on content, not file extension                Enable
  Software channel permissions                                   Medium safety
  Submit nonencrypted form data                                  Enable
  Use Pop-up Blocker                                             Enable
  Userdata persistence                                           Enable
  Web sites in less privileged web content zone can navigate...  Enable
Scripting
  Active scripting                                               Enable
  Allow paste operations via script                              Prompt
  Scripting of Java applets                                      Enable
User Authentication
  Logon                                                          Automatic logon only in...

Actually, you can play with these all day depending upon just what exactly it is you are trying to achieve and just where your own personal comfort level is with the technology. But the above is probably a pretty good stab at a general config for most people. The two entries marked with the asterisk (*) can be set to "Disable" if you like getting the little yellow alert bar across the top of your browser window as a warm-and-fuzzy, otherwise it basically is just a repetitive alert... you will still be prompted prior to a signed ActiveX control download or with a "Open, Save, Cancel" dialog in the case of a file download.

The key thing is to not allow any ActiveX controls to execute that aren't signed by a vendor you trust. If you don't trust the control or the publisher then simply say no to the download request prompt, and the control won't download and can't execute. However, if you allow it once, then as configured above, it will already be downloaded and will execute in the future without any other prompting. If you are the sole user of your machine, then this is a workable solution and allows you to go to Windows update, to Macromedia for the ActiveX version of Shockwave/Flash, or to an online virus scanning utility (for example), and not be constantly harassed with prompts and warnings.

If, however, you want even more restrictions on ActiveX, or if you are on a shared machine where you cannot guarantee that others using it will know whether to permit or deny any given ActiveX control then you can configure IE slightly differently. In that case, take the above config for the "Internet Zone" and Disable everything in the "ActiveX controls and plug-ins" section. Then, setup your "Trusted Zone" with settings similar to above. Then, add "*.microsoft.com" (or, even, if you are more particular just "*.windowsupdate.microsoft.com") to your Trusted zone. That way only the Microsoft site (or Microsoft Windows Update site) will be allowed to download and execute ActiveX controls. All other sites will be in the default Internet Zone for which you will have disabled the ActiveX control download ability and turned off ActiveX execution.

 

Thanks. I will give it a shot.

 

ActiveX settings advice from Kim = http://www.komando.com/tips_show.asp?showID=7837

 

http://www.markusjansson.net/exp.html#ie

You will have to add sites that you want to allow to use components to the trusted zone like windows update site.


Thanks,

Chris

 

Whilst I agree with Alec's settings, I have found one strange quirk within XP SP2: If in device manager you right click, click properties of some device, click troubleshoot: this opens the troubleshooter for that device in Help and support, which apparently uses activeX controls which are not marked as safe (even though they are part of XP!). If you have 'Initialize and script activeX controls not marked as safe' set to disable in the IE internet zone, you get a message that the activeX was blocked when running the troubleshooter and it won't work properly. Therefore I have set that to prompt instead of disable; you then get a warning prompt where you can click OK if you are sure of the circumstances.

PS I did first try changing the corresponding setting only for the 'My computer' zone alone (zone 0), but it has to be the internet zone, even though the troubleshooters don't actually connect to the internet.

 

Thanks for the replies.

Do you all also customize the "Trusted Sites" and "Restricted Sites" in the IE Security or do you leave them on the default?

 

chip,
Go into
Tools-ie options-Security- and click on Restricted sites then Custom level and set the reset custom settings to HIGH - click reset and OK-do the same with
Trusted sites-Local Intranet and Internet.

Then when you visit certain sites you will get a rectangular dialog saying,

Your current security settings prohibit running Active-X controls on this page.
As a result page may not display correctly.

Most sites you just click on the dialog OK button and get on with it as though you didn't even see it.

However if you are intending to D\L from anywhere then B'4 you go you would need to go into Tools-Internet Opts.- Security-Internet -Custom Level and reset the level to MEDIUM then after D\L return and set to HIGH - press reset and OK.
This is a bit of a fiddle but I do it 10 times a day because it's worth it.

Regards.

 

Thanks again