WARNING: The following tip contains script code that makes changes to your Windows registry. Although I have tested this script and believe it performs as described, I am not responsible for any damage that may occur to your computer if you choose to download and run this script.
The single biggest security flaw in Internet Explorer is its capability to download and run ActiveX controls. This feature is a double-edged sword. When used properly, ActiveX controls greatly expand the power of Internet Explorer. Unfortunately, the developers of spyware, adware, and other forms of crapware figured out long ago that ActiveX is a great way to sneak unwanted programs onto an unsuspecting user’s computer.
So how do you protect yourself? You could disable ActiveX programs completely. But when you do so, you cut off access to the good along with the bad. A better approach is the one that Carl Siechert and I came up with in Microsoft Windows Security Inside Out: Configure Internet Explorer so that existing ActiveX programs run as expected, but disable the ability to download new controls from any site in the Internet zone (sites in the Restricted zone are always blocked, and sites that you specifically place in the Trusted Sites zone are unaffected by this change). This configuration change makes it impossible for a Web site to push spyware/adware/crapware onto your machine. The beauty of this technique is that it doesn’t allow you (or an unsophisticated user on your computer) to be fooled into clicking Yes when you should click No. It stops new ActiveX controls cold.
In the rest of this article, I explain two ways to make this change: one that requires a series of manual steps, a second that runs automatically, using a simple script file. Note that I have only tested this script with Windows XP Service Pack 2. It will probably work with other versions of Windows, but I can’t guarantee it and don’t recommend using the script on any other Windows version. Oh, and this security tip is worth following even if you normally use Firefox as your default browser. Programs like Windows Media Player can call up Internet Explorer when you least expect it. If you’ve blocked unwanted ActiveX installations, they can’t do any damage.
The manual technique requires making a series of changes on the Security tab of the Internet Explorer Options dialog box. Here’s how:
- Close all copies of Internet Explorer and open Control Panel.
- Double-click Internet Options.
- In the Internet Properties dialog box, click the Security tab, select the Internet icon from the list of available zones, and click Custom Level.
- Scroll down the list to the ActiveX controls and plug-ins section. Change the Download signed ActiveX controls setting to Disable.
- Verify that all other settings in this section are as follows:
- Automatic prompting for ActiveX controls – Disable
- Binary and script behaviors – Enable
- Download signed ActiveX controls – Disable
- Download unsigned ActiveX controls – Disable
- Initialize and script ActiveX controls not marked as safe – Disable
- Run ActiveX controls and plug-ins – Enable
- Script ActiveX controls marked safe for scripting – Enable
- Click OK to save your changes and close the Security Settings dialog box. (Click Yes in response to the confirmation dialog box.)
- Click OK to close the Internet Properties dialog box.
The next time you visit a site that tries to install an ActiveX control on your computer, you’ll see the following message in the Information Bar just above the contents of the page itself:
If this is a control you want to install, you’ll have to reverse the steps above to enable downloading of ActiveX controls. After you’ve installed the control, you can disable ActiveX downloads again.
If you’d prefer a more automated approach, Carl and I have created a simple script file that will appear in our forthcoming update to Microsoft Windows Security Inside Out. You can download the script file, which is contained in a compressed Zip file, or copy and paste the text into your own script file. Download the compressed file from this link or view the script text from this link. Extract the ActiveX_toggle.vbs file to a convenient location, such as the desktop, and double-click the file icon to run the script. The script displays two dialog boxes. The first displays your current ActiveX security settings for the Internet zone:
After you click OK, the second dialog box allows you to change the current setting:
Click Yes to allow ActiveX controls to be downloaded (you will always be prompted for permission before a download takes place). Click No to disable downloads. Click Cancel to leave your current settings in place.
You can run this script any time. Note that you must be logged on as an Administrator to run the script; it will fail if you are logged on as a standard user. Also, some antivirus programs may display a warning (or just fail to run the script, without any notice) when you attempt to run any script written in JScript or VBScript. In its default settings, Microsoft AntiSpyware attempts to block most scripts as well. This is reasonable behavior, because bad guys have been known to use scripts to install unwanted software or tamper with your system settings. If this script won’t run on your computer, look at the settings for your antivirus or antispyware software to see what you need to do to make it work properly.
Update: I added some text to the introduction to make it clear that this change affects sites in the Internet zone, which by default includes all sites. It does not affect downloads from any site that you designate as being in the Trusted Sites zone or the Restricted Sites zone.
Update 2: As Carl points out in the comments, this script works on a per-user basis. For maximum security, you must log on and run the script for each account on your computer.
Ed Bott 
what’s the problem with setting “Download signed active-x controls” to prompt? Does that not always prompt?
The problem with setting “Download signed active-x controls” to prompt is that it creates the opportunity for someone who makes deceptive software to fool you into clicking Yes when you really, really don’t want to. They might lie about what the program is really for, or they might catch you in a moment of weakness when you aren’t paying attention and click the wrong button. It’s an especially severe problem on computers that are used by multiple people. You might know how to avoid accidentally installing a piece of spyware, but your spouse or your kids might be more easily deceived.
The most secure route, which this technique enables, is to make it difficult to install a new program. I would rather go through a few extra steps to install an ActiveX-based program I need than have to go through hours of cleanup to get rid of a spyware program that was installed through carelessness or deception.
I don’t have Internet Explorer on my XP_SP2 computer! I used nlite to remove both IE & Help files. I use the Corp version of XP, so no need for activation & i can always use ‘xchm’ to view CHM files.
Ed’s point about this setting being useful in a multiuser environment is a good one. But note that making the setting–whether you use the manual method or the script–affects only the user account that is currently logged on. Therefore, if you follow the sound practice of setting up different accounts for each member of your family, for example, you need to log on as each user whom you want to restrict and make the setting.
If you setup IE to read its security settings from HKEY_LOCAL_MACHINE, rather than HKEY_CURRENT_USER then you only need to make the change once for all users. Using the HKLM settings also prevent non-admins from changing the IE settings.
To force IE to use the HKLM settings, add a DWORD value:
Security_HKLM_only
to
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
and set it to 1.
Note that the IE interface will still display the non-active HKCU settings.
[Edited to eliminate awkward linebreaks – EB]