Quick Method for Configuring IE 7 ActiveX Settings for Greater Security

Disabling ActiveX

Table I shows some settings that involve ActiveX in the Internet security zone for IE 7. Changing this small group of settings will still protect against many common security problems but is less of an obstacle for the average home PC user. Some ActiveX settings are already disabled by default in the Internet zone and those listed are additional settings that should also be disabled. The settings can be changed manually by going to the Internet Explorer menu Tools-Internet Options-Security-Internet-Custom level (Figure 1). Note that some Web sites use ActiveX and there may be loss of functionality. In particular Microsoft sites such as Windows Update will no longer work. To retain ActiveX capability, commonly visited sites that are secure can be placed in the Trusted Zone. Or, if desired, settings can be returned to their default values by clicking the Reset button shown in Figure 1 or by using the Default Level button.

Table I. Settings for Disabling ActiveX in IE 7
Category Setting Default Recommended
ActiveX controls and plug-ins Binary and script behaviors Enable Disable
Download signed ActiveX controls Prompt Disable
Run ActiveX controls and plug-ins Enable Disable
Script ActiveX controls marked safe for scripting Enable Disable
Figure 1. Dialog box for settings in Internet Security Zone
secsettingsint

Quick way to change IE security zone settings.

Rather than changing the settings manually, an INF file that makes the changes in the Registry can be used. (Using INF files to make Registry changes is discussed on this page.) This has the advantage of providing a simpler method that is not subject to possible errors in entering setting changes by hand. The INF file that carries out the changes shown in Table I can be seen here. The text file shown can be copied and changed to an INF file by editing the extension. To make things even easier, I have also wrapped the INF file in an EXE package that can be downloaded here. To use it, simply left-click in the usual manner. If you do not like the results, the changes can be undone with another executable file that can be downloaded here. Note that any additional setting changes that you might have made will not restored by this file. As is true for any executable file, your security settings may give the standard warning.

Because of our litigious society, I must make the disclaimer that all files are provided as is, without guarantees, and that the user assumes all responsibility.

Responding to zero-day exploits

Many so-called zero-day exploits have been making use of ActiveX. In these cases,Microsoft often advises the work-around of disabling Activex until it issues a patch. The downloads provided above provide an easy way for PC users to apply the temporary defense.

Internet Explorer 7

Although changes have been made to Internet Explorer 7 (IE 7) to make it safer than IE 6, security issues remain and many of the same considerations discussed for IE 6 are also pertinent to IE 7. In fact, possible exploits using active scripting surfaced immediately after the release of IE 7 to the general public. The general discussion of security zones in IE that was given previously applies here and should be read for background. The recommended settings for the Internet security zone given below should be used together with a system of adding frequently visited sites that are known to be safe to the Trusted Zone.

There are quite a few settings and the particular recommendations given in the table below are but one of many possible combinations. The recommended settings can be modified to suit a PC user’s particular pattern of surfing. Thus, you may wish to experiment to find a combination best for your own purposes. For example, many pages use scripts and you may wish to allow certain aspects. Also, it is a common practice for pages to use META REFRESH for redirection. It is also used by bad sites to trap your browser or to fool you. I have left it enabled but you may wish to disable it. Another setting that some may wish to disable is “File download” although I have left it enabled.

The recommended settings below may not suit everybody and may even be irritating to some. Therefore, do not undertake to change anything on your computer unless you know how to get back to where you started.

Recommended settings for Internet security zone in Internet Explorer 7
Category Setting Default Recommended
.NET Framework Loose XAML Enable Disable
XAML browser applications Enable Disable
XPS documents Enable Disable
.NET Framework-reliant components Run components not signed with Authenticode Enable Disable
Run components signed with Authenticode Enable Enable
ActiveX Controls and Plug-ins Allow previously unused ActiveX controls to run without prompt Disable Disable
Allow Scriptlets Disable Disable
Automatic prompting for ActiveX controls Disable Disable
Binary and script behaviors Enable Disable
Display video and animation on a webpage that does not use external media player Disable Disable
Download signed ActiveX controls Prompt Disable
Download unsigned ActiveX controls Disable Disable
Initialize and script ActiveX controls not marked as safe for scripting Disable Disable
Run ActiveX controls and plug-ins Enable Disable
Script ActiveX controls marked safe for scripting Enable Disable
Downloads Automatic prompting for file downloads Disable Disable
File download Enable Enable
Font download Enable Disable
Enable .NET Framework setup Enable .NET Framework setup Enable Disable
Miscellaneous Access data sources across domains Disable Disable
Allow META REFRESH Enable Enable
Allow scripting of Internet Explorer web browser control Disable Disable
Allow script-initiated windows without size or position constraints Disable Disable
Allow webpages to use restricted protocols for active content Prompt Disable
Allow websites to open windows without address or status bars Disable Disable
Display mixed content Prompt Disable
Don’t prompt for client certificate selection when no certificates or only one certificate exists Disable Disable
Drag and drop or copy and paste files Enable Disable
Include local directory path when uploading files to a server Enable Disable
Installation of desktop items Prompt Disable
Launching applications and unsafe files Prompt Disable
Launching programs and files in an IFRAME Prompt Disable
Navigate sub-frames across different domains Disable Disable
Open files based on content, not file extension Enable Enable
Software channel permissions Medium safety High safety
Submit non-encrypted form data Enable Disable
Use Phishing Filter Enable Enable
Use Pop-up Blocker Enable Enable
Userdata persistence Enable Disable
Websites in less privileged web content zone can navigate into this zone Enable Disable
Scripting Active scripting Enable Disable
Allow Programmatic clipboard access Prompt Disable
Allow status bar updates via script Disable Disable
Allow websites to prompt for information using scripted windows Disable Disable
Scripting of Java applets Enable Prompt
User Authentication Logon Automatic logon only in Intranet zone Automatic logon only in Intranet zone

ActiveX Errors

Background of ActiveX Controls

Before tackling ActiveX, I need to say just a little about the general way programs are designed these days. A lot of use is made of what the programmers call objects. These are individual modules designed to carry out specific tasks or functions. They can then be plugged into any program that has an interface set up to communicate with them. In this way, a set of objects can be used as building blocks to modify and augment a variety of programs. Thus, a single separate entity can provide functionality for many different programs. In this way, programs do not have to keep reinventing the wheel but can call on an object for implementing some particular procedures. Microsoft has been a leader in this way of doing things.

What ActiveX controls do

“ActiveX” is a name probably dreamed up by the marketing people at Microsoft. It has as much intrinsic meaning as “cougar” does for a make of automobile. It refers to a somewhat loosely defined group of methods developed by Microsoft for sharing information and functionality among programs. One of these technologies is called “ActiveX controls.” These are objects that are like small programs or “applets” and a number of Microsoft programs like Office and Internet Explorer (IE) are designed to be able to interact with them. An example is a spell checker. Since Word comes with a spell checker, other Microsoft programs such as Outlook Express can make use of it. In fact, any program with the appropriate interface can use this spell checker.

This built-in interactivity between various components and programs leads to greatly increased versatility and flexibility. Furthermore, programmers can easily create new ActiveX controls with Visual Basic , C++, and other programming languages. One place where ActiveX controls are very common is in Internet Explorer. An ActiveX control can be automatically downloaded and executed by Internet Explorer. Once downloaded, an ActiveX control in effect becomes part of the operating system. For example, IE cannot read PDF files by itself but can do so with an ActiveX control from Adobe. Similarly, IE needs a control to display Flash.

Security problems

The interactivity and ease of programming of ActiveX controls has a price and these controls are a major source of security problems. Sad to say, unscrupulous types have taken advantage of the ActiveX control technology to place malware on unwary computer users. A lot of spyware and adware is downloaded as ActiveX controls. Microsoft tightened up the security in Windows XP Service Pack 2 and then some more in Internet Explorer 7 but security issues remain. Careful attention to what you download and configuring the ActiveX settings in Internet Explore for greater safety will go a long way towards obviating problems. Support for ActiveX by Internet Explorer can be completely disabled but that breaks useful functions as well as blocking malware. For more details on the security settings for ActiveX in Internet Explorer see this table listing the different zone settings as well as a tutorial on configuring IE. ActiveX is a useful technology and the trick is to find the right balance between convenience and security that is appropriate to your usage patterns and technical skills.

Because of ActiveX problems, many security-conscious computer users are switching from Internet Explorer to browsers that do not support ActiveX such as Firefox, Opera, and Netscape. Go here for a discussion of what is involved in switching to the Firefox browser.

For a more benign view of ActiveX, see this article by Larry Seltzer.

Trusted Sites

How To Add Trusted Sites for Internet Explorer 7

If you are using the most recent version of Internet Explorer 10 or 11 please click here

For other internet browsers please click on the appropriate link bellow.

FireFox Browser User Guide 

Chrome Browser User Guide

As discussed on the previous page , increasing the security for the Internet security zone of Internet Explorer may break some reputable sites that you use regularly . The solution is to add these sites to the Trusted zone, which will restore their functionality. The procedures described here will work for either IE 6 oe IE 7. Open Internet Explorer and go to Tools-Internet Options-Security.

ieconfigure1r

Click the “Security” tab and choose the “Trusted Sites” icon.

ietrustedzone5

Then click on the button “Sites”. A window will open, where you can add any sites that you wish to be in the Trusted zone. Be sure to remove the check by the entry “Require server verification (https:)….”

ietrustedzone

Enter the site of interest in the line provided. Site URLs can be typed in directly or entered by copying and pasting. A shortcut method of copying and pasting an URL from the IE address bar is to use the keyboardcommand ALT+D to select the Web address and then use CTRL+C to copy it to the Windows Clipboard. Then right-click in the space under “Add this Web site to the zone” and choose “Paste” from the context menu. The example below shows the NY Times site being added. Note that it is not an https site and that the appropriate box is unchecked. After entering a site click the “Add” button.

ietrustedzone2

The site is now added to the list of trusted sites.

ietrustedzone3

Enter the next site and repeat the procedure.

ietrustedzone4

There is a “Remove” button (grayed out in the figure above), should you wish to take a site off the list.

Using wild cards

One disadvantage of using a complete URL like http://www.nytimes.com is that it can be too specific. For example, there are related addresses such as http://topics.nytimes.com and these will be treated as a separate URL. To place anything contained within the entire domain “nytimes.com” into the trusted zone, the asterisk wildcard can be used. An entry such as “*.nytimes.com” will put everything in the main domain into the trusted zone.

A shorter way

The above procedure can be tedious if you want to add a number of sites to the trusted zone. Fortunately, there is a quicker way. There is an old (unsupported) Internet 5 accessory from Microsoft called Power Tweaks that still works in both IE 6 and IE 7. It puts an entry into the Tools menu that allows any site that you are visiting to be added to the Trusted (or the Restricted) zone. It can be downloaded here.

Ransomware Guides

We are now dedicated in finding the latest ransomware threats. In 2016 alone worldwide they has been a growth of over 400% in ransomware infections. The latest threat that have encounter is Osiris file Ransomware.

Make Internet Explorer 6 Safer- Configure the Security Settings

Recommendations for Internet Zone

The Internet zone is where sites not specifically placed elsewhere are placed. Thus, the settings for this zone control most of the sites that you will go to on the Internet. Please be aware that increased security has a cost and that the settings given here will cause some sites to stop working properly. In particular, ActiveX and scripting have been disabled. Sites using these technologies will be crippled. This keeps the bad guys out but may interfere with one of your favorite sites. If a site is safe and is one that you use frequently , place it in the Trusted site zone, where ActiveX and scripting are enabled. Instructions on how to do that are on this page.

There are quite a few settings and the particular recommendations given in the table below are but one of many possible combinations. The recommended settings can be modified to suit a PC user’s particular pattern of surfing. Thus, you may wish to experiment to find a combination best for your own purposes. For example, many pages use scripts and you may wish to allow that. Also, it is a common practice for pages to use META REFRESH for redirection. It is also used by bad sites to trap your browser. I have left it enabled but you may wish to disable it.

The recommended settings below may not suit everybody and may even be irritating to some. Therefore, do not undertake to change anything on your computer unless you know how to get back to where you started.

Settings for Internet security zone in Internet Explorer 6
(Red background indicates settings found only in Windows XP SP2)
Category Setting Default Recommended
.NET Framework-reliant components (Not present in all systems) Run components not signed with Authenticode Enable Disable
Run components signed with Authenticode Enable Enable
ActiveX Controls and Plug-ins Download signed
ActiveX controls
Prompt Disable
Download unsigned
ActiveX controls
Disable Disable
Initialize and script
ActiveX controls not marked as safe
Disable Disable
Run ActiveX
controls and plug-ins
Enable Disable
Script ActiveX controls
marked safe for scripting
Enable Disable
Automatic prompting for ActiveX controls Disable Disable
Binary and script behaviors Enable Disable
Downloads File download Enable Enable
Font download Enable Disable
Automatic prompting for file downloads Disable Disable
Microsoft VM (only older systems) Java permissions High safety High safety
Miscellaneous Access data sources across domains Disable Disable
Allow META REFRESH Enable Enable
Display mixed content Enable Disable
Don’t prompt for client certificate selection when no certificates or only one certificate exists Disable Disable
Drag and drop or copy and paste files Enable Disable
Installation of desktop items Prompt Disable
Launching programs and files in an IFRAME Prompt Disable
Navigate sub-frames across different domains Disable Disable
Software channel permissions Medium safety Maximum safety
Submit nonencrypted form data Enable Enable
Userdata persistence Enable Disable
Allow scripting of Internet Explorer Webbrowser control Disable Disable
Allow script-initiated windows without size or position constraints Disable Disable
Allow Web pages to use restricted protocols for active content Prompt Disable
Open files based on content, not file extension Enable Enable
Use Pop-up Blocker Enable Enable
Web sites in less privileged web content zone can navigate into this zone Enable Disable
Scripting Active scripting Enable Disable
Allow paste operations via script Enable Disable
Scripting of Java applets Enable Prompt
User Authentication Logon Automatic logon only in Intranet zone Automatic logon only in Intranet zone

The settings can always be returned to the default values by using the “Default Level” button shown in the figure below

ieseczonedefaulta

Internet Explorer 6 Security- the Local or “My Computer” Zone

Description of the “My Computer” or local Internet security zone

The “My Computer” zone is the local computer zone, which governs the security settings for opening HTML pages stored on your own system. These locally stored pages are deemed to be safe, which is normally a reasonable assumption. Also local pages may need access to the resources such as files that are located on your system and are therefore given a high degree of trust.

Unfortunately, there are a large number of cross-zone vulnerabilities, which writers of malware such as viruses, worms, etc. may use to their advantage. To help plug these security holes, one of the security changes made in the Windows XP Service Pack 2 update locks down the  “My Computer” zone to control the running of scripts and ActiveX components. This increased security comes at a cost, however, since certain applications are thereby broken.

Configuring the “My Computer” Internet security zone

Users of older Windows operating systems will not receive the security updates for Internet Explorer that the Windows XP SP2 contains. In these cases it may be desirable to be able to configure the settings for the “My Computer” zone. (The following procedures do not apply to IE 6 in Windows XP SP2 or to IE 7.)

Configuring Internet Explorer zones is done through the “Tools- Internet Options ” menu. (A tutorial is available on another page.) The zone for “My Computer” is normally hidden but it can be made visible by editing the Registry so that this zone appears on the Security tab in the Internet Options dialog box, as shown below.

zone5

The Registry settings that have to be changed to make this zone visible are given in an article in the Microsoft Knowledge Base . The key that has to be edited for a particular user account is

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0

The key to be edited if all user accounts are to have this zone visible is

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0

Within the key is a DWORD value “Flags”. Setting the data value of the Flags value to 47 (in hexadecimal) causes the “My Computer”security zone to be displayed. Setting the data value of the Flags value to 21 (in hexadecimal) causes the “My Computer” security zone to be hidden.

Editing the Registry can be a parlous project so be sure to back up the Registry first. For those who understand how to use REG files, copy the text below, paste into Notepad, and save as “showmycomputer.reg” or name of your choice. Only those who can return their computer to a previous state should try this.

Makes “My Computer” security zone visible
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

“Flags”=dword:00000047

To reverse the process and hide the zone “My Computer”, use the following script

Hides “My Computer” security zone
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

“Flags”=dword:00000021

For details about strengthening the security of the Local Machine or My Computer zone consult this Microsoft article.

Internet Spam

The origin of using the name of the Hormel Company canned meat product for junk email is attributed to various sources, including Monty Python. Whatever the origin of the name, spam is a truly major email nuisance. The ease with which large electronic mailing lists can be set up and the essentially cost-free (to the mailer) process of email means that almost anyone can send out huge quantities of advertising or other messages. Around half of all email is estimated to be spam.

How They Find Us

In theory the best defense against spam is stay off the mailing lists. So how do we get there in the first place? Unfortunately, it is almost impossible to keep your email address hidden from determined marketers. Once on a list for any reason, your address may be sold and resold many times until it is on dozens of lists. CDs with millions of email addresses are readily available for a few dollars. Any action that you take that might expose your email address on the Internet can end you up on spammer’s lists. Participation in chat rooms, newsgroup discussions, investment forums are all ways to get on lists. In a practice called “harvesting,” spammers use software called “spiders” to regularly comb the Internet for addresses. Also, many ISPs offer the option of being listed in a directory and these are fair game for advertisers.

Shopping on the Internet, signing up for newsletters, entering contests, registering to download software, or other activity requiring that you provide your email address can also get your name on lists. Although reputable merchants, newsletter writers, shareware sites, etc. will respect your privacy, some sites may feel free to sell your name to others. Always look for a statement of the policy on privacy before signing up for something.

Another method used by spammers is the “dictionary” attack. By combining all common words and names (with variations like joe1, joe2, joe3, etc.) with all the common providers such as AOL, Hotmail, MSN, Earthlink, computer programs can generate millions of possible email addresses. Many of these will be legitimate and the spammer doesn’t care about the ones that bounce. The cost of mailing to a lot of incorrect addresses is too small to be any deterrent. Thus some people advise using uncommon combinations of symbols for your email address.

Everyone should have several disposable junk email address that they use where public exposure is likely. One of the free services like Hotmail or My Yahoo serves admirably for this purpose. If an address starts to attract spam, it can just be discarded.

You can also “munge” your address in places like Newsgroups. To “Munge” is to add easily recognized extra characters to your address along with the accompanying phrase “remove xyz to obtain address”. Thus myname@myISP.com becomes myname@mynospamISP.com. The only trouble is that address harvesting software can be programmed to strip out obvious strings like nospam although many times they don’t bother.

Blocking Spam

One method of dealing with spam is to block or filter mail from known spammers or that contain particular subjects or key words. This can be done either on your email program or with special software. The common email programs like Outlook Express allow for setting up rules that apply to categories like senders, subjects, and textual content. Check your particular email client for the details. For example, in Outlook Express go to the menu under Tools-Message Rules. The problem is that spammers keep changing or faking their ostensible names and addresses as well as using phony subjects. Personally, I have found that rules and filtering within my email program may keep out some spam but that it is only a partial answer to the problem. You can also install some extra software. There are a slew of utilities devoted to stopping spam. The best types of programs use a statistical technique known as Bayesian filtering. These programs set up filtering rules based on actual experience and “learn” how to improve filters from the email that you receive. See the sidebar for references on this technique and on various software programs.

Businesses and those who are big users of email will need some heavy-duty methods of filtering spam but average PC users who receive only a few emails each day can use a program like MailWasher Pro. Also, ISPs are getting better at filtering and may also provide some way for individual users to create filtering rules.

There are also services that will filter your mail. By collecting large databases of known spammers and using their client’s emails to keep up with the latest tricks and twists of the spammers, these services can be better at stopping spam than software located on your own computer. These services naturally slow down the processing of your mail since it has to go through their server. Several are listed in the sidebar.

Note that no matter whether you filter mail with software on your own computer or use an external service, some spam will get through and some legitimate mail will get blocked.

Although there are many ways to try to block spam from arriving in your mailbox by using software or filtering services, my experience is that spam has reached the point where one of the best defenses is to have more than one email address. You can reserve one address for friends and relatives and have a second throwaway address that is changed fairly regularly. This second address would be the one that is used whenever it might be subject to public exposure. Many ISPs allow for an account to have multiple mailboxes and one can be set aside for junk. If the volume builds up, the box can be discarded and replaced by a new one. Another route is to use one of the free Internet email services like Yahoo or Hotmail. Yet another approach is to use one of the services that provide email addresses with a limited lifetime. For example, SpamGourmet will give you addresses good for a certain number of uses only.

The last and perhaps best defense is common sense and the “delete” key. Don’t open obvious spam messages and be very careful about responding to “Remove me from this list” type of addresses. That may very well just get you on more lists. Also note that formatted spam may contain Web Bugs that tell the spammer if you have opened that mail.