Disabling ActiveX

Table I shows some settings that involve ActiveX in the Internet security zone for IE 7. Changing this small group of settings will still protect against many common security problems but is less of an obstacle for the average home PC user. Some ActiveX settings are already disabled by default in the Internet zone and those listed are additional settings that should also be disabled. The settings can be changed manually by going to the Internet Explorer menu Tools-Internet Options-Security-Internet-Custom level (Figure 1). Note that some Web sites use ActiveX and there may be loss of functionality. In particular Microsoft sites such as Windows Update will no longer work. To retain ActiveX capability, commonly visited sites that are secure can be placed in the Trusted Zone. Or, if desired, settings can be returned to their default values by clicking the Reset button shown in Figure 1 or by using the Default Level button.

Table I. Settings for Disabling ActiveX in IE 7
Category Setting Default Recommended
ActiveX controls and plug-ins Binary and script behaviors Enable Disable
Download signed ActiveX controls Prompt Disable
Run ActiveX controls and plug-ins Enable Disable
Script ActiveX controls marked safe for scripting Enable Disable
Figure 1. Dialog box for settings in Internet Security Zone
secsettingsint

Quick way to change IE security zone settings.

Rather than changing the settings manually, an INF file that makes the changes in the Registry can be used. (Using INF files to make Registry changes is discussed on this page.) This has the advantage of providing a simpler method that is not subject to possible errors in entering setting changes by hand. The INF file that carries out the changes shown in Table I can be seen here. The text file shown can be copied and changed to an INF file by editing the extension. To make things even easier, I have also wrapped the INF file in an EXE package that can be downloaded here. To use it, simply left-click in the usual manner. If you do not like the results, the changes can be undone with another executable file that can be downloaded here. Note that any additional setting changes that you might have made will not restored by this file. As is true for any executable file, your security settings may give the standard warning.

Because of our litigious society, I must make the disclaimer that all files are provided as is, without guarantees, and that the user assumes all responsibility.

Responding to zero-day exploits

Many so-called zero-day exploits have been making use of ActiveX. In these cases,Microsoft often advises the work-around of disabling Activex until it issues a patch. The downloads provided above provide an easy way for PC users to apply the temporary defense.