IE 7 ActiveX Settings for Greater Security

A previous page provides a detailed prescription for making Internet Explorer 7 safer for browsing. However, the extensive changes in the settings for the Internet security zone discussed there may be more than many home PC users wish to deal with. Although they give a great deal of added security, the numerous changes also cause some loss of functionality. Consequently, many users may prefer a less comprehensive approach that leaves most default settings intact but still defends against some major threats while creating less disruption in browsing the Web.

One of the primary safety concerns is malicious use of the ActiveX technology to download and run harmful scripts or components. In this article, I will focus on this problem and give some simple procedures for both disabling and, if desired re- enabling certain ActiveX functions.

We Recommend: Fix Browser Errors and Speed up your PC (30 sec.)

Disabling ActiveX

Table I shows some settings that involve ActiveX in the Internet security zone for IE 7. Changing this small group of settings will still protect against many common security problems but is less of an obstacle for the average home PC user. Some ActiveX settings are already disabled by default in the Internet zone and those listed are additional settings that should also be disabled. The settings can be changed manually by going to the Internet Explorer menu Tools-Internet Options-Security-Internet-Custom level (Figure 1). Note that some Web sites use ActiveX and there may be loss of functionality. In particular Microsoft sites such as Windows Update will no longer work. To retain ActiveX capability, commonly visited sites that are secure can be placed in the Trusted Zone. Or, if desired, settings can be returned to their default values by clicking the Reset button shown in Figure 1 or by using the Default Level button.

Table I. Settings for Disabling ActiveX in IE 7
Category	Setting	Default	Recommended
ActiveX controls and plug-ins	Binary and script behaviors	Enable	Disable
	Download signed ActiveX controls	Prompt	Disable
	Run ActiveX controls and plug-ins	Enable	Disable
	Script ActiveX controls marked safe for scripting	Enable	Disable

Figure 1. Dialog box for settings in Internet Security Zone

Quick way to change IE security zone settings.

Rather than changing the settings manually, an INF file that makes the changes in the Registry can be used. (Using INF files to make Registry changes is discussed on this page.) This has the advantage of providing a simpler method that is not subject to possible errors in entering setting changes by hand. The INF file that carries out the changes shown in Table I can be seen here. The text file shown can be copied and changed to an INF file by editing the extension. To make things even easier, I have also wrapped the INF file in an EXE package that can be downloaded here. To use it, simply left-click in the usual manner. If you do not like the results, the changes can be undone with another executable file that can be downloaded here. Note that any additional setting changes that you might have made will not restored by this file. As is true for any executable file, your security settings may give the standard warning.

Because of our litigious society, I must make the disclaimer that all files are provided as is, without guarantees, and that the user assumes all responsibility.

Responding to zero-day exploits

Many so-called zero-day exploits have been making use of ActiveX. In these cases,Microsoft often advises the work-around of disabling Activex until it issues a patch. The downloads provided above provide an easy way for PC users to apply the temporary defense.

We Recommend: Scan, Clean & Optimize your PC (Download 30 sec)