ActiveX is a major source of security headaches in Microsoft
Internet Explorer. Although IT professionals might wish to disable ActiveX
altogether, that simply isn’t an option for many users, so we need to know how
to tweak various settings and permissions for the different security zones in
IE. Fortunately, there are a variety of customization options available in IE 6
that can help an administrator improve security, especially with Service Pack 2
for Windows XP installed. However, not many administrators are educated about
these options and there is minimal documentation available, so these security
best practices for ActiveX and browser add-ons are not widely used.

Managing Add-ons

New in IE 6 for Windows XP SP2 is the Add-on Manager screen.
Just what are add-ons? Those are the Browser Helper Objects (BHOs), ActiveX controls, toolbars, and browser extensions
that enhance the way Internet Explorer displays Web sites or provides
additional functionality to the browser. Some are pre-installed when the
operating system is loaded; others are installed by users, or downloaded as users
visit certain Web sites.

How can you manage add-ons? Administrators can
enable/disable or block users from downloading new add-ons. However, by
default, users can change these settings themselves unless they are prevented
from doing so by Group Policy or another desktop lockdown tool.

To access add-ons, open Internet Explorer and go to Tools |
Manage Add-ons to see all the active Browser Helper Objects as well as any
other add-ons that IE has used previously and which are still stored on the

Select any object by name and you can either Enable it if
you need it or Disable it if it repeatedly causes problems. You can also update
most ActiveX add-ons from this screen by clicking on the Update ActiveX button
after selecting the add-on.

Some add-ons are “signed” but come from untrusted sources. The Add-on Manager will normally block
those and you need to open the Add-on Manager to unblock any that you need.
Beware that doing so automatically moves everything from that publisher to the
trusted list. It doesn’t enable only the single add-on you specify. In XP SP2
these blocked add-ons are what show up in the Browser Information Bar to notify
you that a site feature is disabled and needs to be authorized if you want to
use it.

One important thing to remember is that, even though you
have disabled an add-on in the Add-ons Manager, it only applies to the IE
browser. Other applications may still activate and use the Add-on because it is
still on the system, just disabled at the moment. You need to delete it
completely if you don’t trust it and don’t want any other applications to use

One exception to note is that any ActiveX control that is
already “blocked by its compatibility flag” will be disabled in every case,
without regard to any changes in the Add-on Manager settings.

ActiveX controls in IE 6

Battling with ActiveX controls is obviously not new to the XP
SP2 upgrade of IE 6, but a lot of people who complain about the dangers of
ActiveX code don’t seem to realize that there are options for securing ActiveX.

In addition to the changes you can make in the Add-on
Manager in XP SP2, you can fine-tune how Internet Explorer treats any ActiveX
controls. One of the main security concerns with ActiveX is that an ActiveX
control will be compromised by an attacker and then the attacker will gain
elevated privileges to do damage on the local machine. An administrator can
fight against this by locking down the “Local intranet” privileges in
IE. Go to the Tools | Internet Options | Security, which takes you to the Web
content zones (Internet, Local intranet, Trusted sites, and Restricted sites). Click
on Local intranet and then click the Sites button. Here, you can choose to
enable or disable:

  • all local
    (intranet) sites not listed in other zones
  • all sites that
    bypass the proxy server
  • all network
    paths (UNCs)

Click on the Advanced button and
you can add or remove specific sites in the Local intranet zone.

Author’s note

Under XP SP2 the Local intranet zone receives additional protection
intended to keep attackers from using the Local settings to elevate
privileges and attack the system. On earlier systems the local file system
was presumed to be secure but now the Local machine zone is further locked
down by default (all three of the above options are triggered by default). Also,
any apparent violation is now supposed to trigger the Browser Information Bar
(in XP SP2) to ask permission to continue.

You can also highlight Internet, Trusted sites, or Restricted sites and then click on the Sites button to
fine-tune which sites are affected in those zones.

For all four zones you can click on the Custom Level button
to bring up the Security Settings screen that offers the same ActiveX options
for all four zones:

ActiveX controls and plug-ins

  • Automatic
    prompting for ActiveX controls
  • Disable
  • Enable

Binary and script behaviors

  • Administrator
  • Disable
  • Enable

Download signed ActiveX controls

  • Disable
  • Enable
  • Prompt

Download unsigned ActiveX controls

  • Disable
  • Enable
  • Prompt

Initialize and script ActiveX controls not marked as safe

  • Disable
  • Enable
  • Prompt

Run ActiveX controls and plug-ins

  • Administrator
  • Disable
  • Enable
  • Prompt

Script ActiveX controls marked safe for scripting

  • Disable
  • Enable
  • Prompt

Each zone has its own default settings for these options but
you can also change any individual setting to customize how ActiveX code is
dealt with in each situation.

Crash detection

There is also a new browser crash detection feature in XP
SP2 that attempts to show which add-on is causing problems. This feature can greatly
improve troubleshooting. The crash detection tool is enabled by default in XP
SP2 and you probably want to leave it enabled since it shouldn’t even be
noticed unless the browser crashes. If you do set NoCrashDetection,
the operating system will treat browser crashes in the pre-SP2 manner (i.e.,
invoke the standard Windows Error Reporting tool).

If you experience problems with this new tool and need to
disable or re-enable crash detection, it is done in either the following Registry



For details on how to enable or disable the entire Add-on
Manager and/or the new crash detection features, see this Microsoft TechNet article.

End sum

With the options that we’ve listed, you can fine-tune a
variety of settings in order to get granular control over ActiveX and browser
add-ons. This will allow you to get all your essential sites working while
blocking any dangerous ActiveX controls.