IEAK 5 introduces a new feature that enables the administrator to specify exactly which ActiveX controls are allowed to run in a particular zone. There are two major scenarios within which this feature offers a higher degree of usage control of ActiveX controls and thus a higher degree of security.
Scenario 1: Limited Internet usage of ActiveX controls
Many organizations make extensive use of ActiveX controls on the local intranet, yet want to limit use of ActiveX controls outside the firewall (i.e., in the Internet zone). While local intranet content can be trusted not to attempt malicious use of any controls it uses, these controls are not appropriate for use by Internet Web pages. By specifying the set of generic controls the administrator approves for use on the Internet, sites that use controls can still be supported while preventing any inappropriate use of other controls in that zone.
For example, suppose as administrator you want to limit use of ActiveX controls yet still allow an important Internet site (such as that of a business partner or service provider) to work with ActiveX controls. Visit the site and see what ActiveX controls it uses by noting new entries in the Downloaded Program Files folder of the Windows folder. Carry out the procedure at the end of this topic to specify that the controls are administrator approved.
After this has been configured, exactly those controls will be permitted to run on the site. Attempts by any Internet page to use other controls such as those intended for the intranet will be blocked.Scenario 2: Restricted use of ActiveX controls
You can achieve a higher degree of control by listing all the approved ActiveX controls, and then allowing the browser to run only this approved set of controls. The cost of this additional degree of control is the extra effort to enumerate all the controls the administrator wants to allow to be used, so this approach is recommended where the total set of controls is relatively small.
Assess which controls are approved for use on any site. For zones that contain sites that are allowed to use these controls, carry out the procedure at the end of this topic to specify that the controls are administrator approved. For zones that contain sites that are not allowed to use these controls, select Disable in the Run ActiveX controls and plugins area. Now only the specified controls will ever run on Web pages and only in the allowed zones.
Choosing the ActiveX controls
Some common ActiveX controls are listed in the Active Control Administrator Approved file, Axaa.adm, which comes with the IEAK. This list is not a recommendation; it simply represents some of the commonly used ActiveX controls from the Web. As administrator, you should assess which, if any, of these controls are appropriate to use within your organization. You can edit this file and add any new controls you want. By default, no controls are listed as approved. If you want to add more controls after your users install Internet Explorer, you can use automatic configuration.
To specify that ActiveX controls must be approved by an administrator and to specify which controls you want to approve, carry out the following steps:
It is recommended that you make a backup copy of this file in case you want to restore the original settings.