Quick Method for Configuring IE 7 ActiveX Settings for Greater Security

Disabling ActiveX

Table I shows some settings that involve ActiveX in the Internet security zone for IE 7. Changing this small group of settings will still protect against many common security problems but is less of an obstacle for the average home PC user. Some ActiveX settings are already disabled by default in the Internet zone and those listed are additional settings that should also be disabled. The settings can be changed manually by going to the Internet Explorer menu Tools-Internet Options-Security-Internet-Custom level (Figure 1). Note that some Web sites use ActiveX and there may be loss of functionality. In particular Microsoft sites such as Windows Update will no longer work. To retain ActiveX capability, commonly visited sites that are secure can be placed in the Trusted Zone. Or, if desired, settings can be returned to their default values by clicking the Reset button shown in Figure 1 or by using the Default Level button.

Table I. Settings for Disabling ActiveX in IE 7
Category Setting Default Recommended
ActiveX controls and plug-ins Binary and script behaviors Enable Disable
Download signed ActiveX controls Prompt Disable
Run ActiveX controls and plug-ins Enable Disable
Script ActiveX controls marked safe for scripting Enable Disable
Figure 1. Dialog box for settings in Internet Security Zone
secsettingsint

Quick way to change IE security zone settings.

Rather than changing the settings manually, an INF file that makes the changes in the Registry can be used. (Using INF files to make Registry changes is discussed on this page.) This has the advantage of providing a simpler method that is not subject to possible errors in entering setting changes by hand. The INF file that carries out the changes shown in Table I can be seen here. The text file shown can be copied and changed to an INF file by editing the extension. To make things even easier, I have also wrapped the INF file in an EXE package that can be downloaded here. To use it, simply left-click in the usual manner. If you do not like the results, the changes can be undone with another executable file that can be downloaded here. Note that any additional setting changes that you might have made will not restored by this file. As is true for any executable file, your security settings may give the standard warning.

Because of our litigious society, I must make the disclaimer that all files are provided as is, without guarantees, and that the user assumes all responsibility.

Responding to zero-day exploits

Many so-called zero-day exploits have been making use of ActiveX. In these cases,Microsoft often advises the work-around of disabling Activex until it issues a patch. The downloads provided above provide an easy way for PC users to apply the temporary defense.

Quick Method for Configuring IE 7 ActiveX Settings for Greater Security

Disabling ActiveX

Table I shows some settings that involve ActiveX in the Internet security zone for IE 7. Changing this small group of settings will still protect against many common security problems but is less of an obstacle for the average home PC user. Some ActiveX settings are already disabled by default in the Internet zone and those listed are additional settings that should also be disabled. The settings can be changed manually by going to the Internet Explorer menu Tools-Internet Options-Security-Internet-Custom level (Figure 1). Note that some Web sites use ActiveX and there may be loss of functionality. In particular Microsoft sites such as Windows Update will no longer work. To retain ActiveX capability, commonly visited sites that are secure can be placed in the Trusted Zone. Or, if desired, settings can be returned to their default values by clicking the Reset button shown in Figure 1 or by using the Default Level button.

Table I. Settings for Disabling ActiveX in IE 7
Category Setting Default Recommended
ActiveX controls and plug-ins Binary and script behaviors Enable Disable
Download signed ActiveX controls Prompt Disable
Run ActiveX controls and plug-ins Enable Disable
Script ActiveX controls marked safe for scripting Enable Disable
Figure 1. Dialog box for settings in Internet Security Zone
secsettingsint

Quick way to change IE security zone settings.

Rather than changing the settings manually, an INF file that makes the changes in the Registry can be used. (Using INF files to make Registry changes is discussed on this page.) This has the advantage of providing a simpler method that is not subject to possible errors in entering setting changes by hand. The INF file that carries out the changes shown in Table I can be seen here. The text file shown can be copied and changed to an INF file by editing the extension. To make things even easier, I have also wrapped the INF file in an EXE package that can be downloaded here. To use it, simply left-click in the usual manner. If you do not like the results, the changes can be undone with another executable file that can be downloaded here. Note that any additional setting changes that you might have made will not restored by this file. As is true for any executable file, your security settings may give the standard warning.

Because of our litigious society, I must make the disclaimer that all files are provided as is, without guarantees, and that the user assumes all responsibility.

Responding to zero-day exploits

Many so-called zero-day exploits have been making use of ActiveX. In these cases,Microsoft often advises the work-around of disabling Activex until it issues a patch. The downloads provided above provide an easy way for PC users to apply the temporary defense.

Internet Explorer 7

Although changes have been made to Internet Explorer 7 (IE 7) to make it safer than IE 6, security issues remain and many of the same considerations discussed for IE 6 are also pertinent to IE 7. In fact, possible exploits using active scripting surfaced immediately after the release of IE 7 to the general public. The general discussion of security zones in IE that was given previously applies here and should be read for background. The recommended settings for the Internet security zone given below should be used together with a system of adding frequently visited sites that are known to be safe to the Trusted Zone.

There are quite a few settings and the particular recommendations given in the table below are but one of many possible combinations. The recommended settings can be modified to suit a PC user’s particular pattern of surfing. Thus, you may wish to experiment to find a combination best for your own purposes. For example, many pages use scripts and you may wish to allow certain aspects. Also, it is a common practice for pages to use META REFRESH for redirection. It is also used by bad sites to trap your browser or to fool you. I have left it enabled but you may wish to disable it. Another setting that some may wish to disable is “File download” although I have left it enabled.

The recommended settings below may not suit everybody and may even be irritating to some. Therefore, do not undertake to change anything on your computer unless you know how to get back to where you started.

Recommended settings for Internet security zone in Internet Explorer 7
Category Setting Default Recommended
.NET Framework Loose XAML Enable Disable
XAML browser applications Enable Disable
XPS documents Enable Disable
.NET Framework-reliant components Run components not signed with Authenticode Enable Disable
Run components signed with Authenticode Enable Enable
ActiveX Controls and Plug-ins Allow previously unused ActiveX controls to run without prompt Disable Disable
Allow Scriptlets Disable Disable
Automatic prompting for ActiveX controls Disable Disable
Binary and script behaviors Enable Disable
Display video and animation on a webpage that does not use external media player Disable Disable
Download signed ActiveX controls Prompt Disable
Download unsigned ActiveX controls Disable Disable
Initialize and script ActiveX controls not marked as safe for scripting Disable Disable
Run ActiveX controls and plug-ins Enable Disable
Script ActiveX controls marked safe for scripting Enable Disable
Downloads Automatic prompting for file downloads Disable Disable
File download Enable Enable
Font download Enable Disable
Enable .NET Framework setup Enable .NET Framework setup Enable Disable
Miscellaneous Access data sources across domains Disable Disable
Allow META REFRESH Enable Enable
Allow scripting of Internet Explorer web browser control Disable Disable
Allow script-initiated windows without size or position constraints Disable Disable
Allow webpages to use restricted protocols for active content Prompt Disable
Allow websites to open windows without address or status bars Disable Disable
Display mixed content Prompt Disable
Don’t prompt for client certificate selection when no certificates or only one certificate exists Disable Disable
Drag and drop or copy and paste files Enable Disable
Include local directory path when uploading files to a server Enable Disable
Installation of desktop items Prompt Disable
Launching applications and unsafe files Prompt Disable
Launching programs and files in an IFRAME Prompt Disable
Navigate sub-frames across different domains Disable Disable
Open files based on content, not file extension Enable Enable
Software channel permissions Medium safety High safety
Submit non-encrypted form data Enable Disable
Use Phishing Filter Enable Enable
Use Pop-up Blocker Enable Enable
Userdata persistence Enable Disable
Websites in less privileged web content zone can navigate into this zone Enable Disable
Scripting Active scripting Enable Disable
Allow Programmatic clipboard access Prompt Disable
Allow status bar updates via script Disable Disable
Allow websites to prompt for information using scripted windows Disable Disable
Scripting of Java applets Enable Prompt
User Authentication Logon Automatic logon only in Intranet zone Automatic logon only in Intranet zone

Comparison of Security Zone Settings for Internet Explorer 7

The settings for security zones in Internet Explorer 7 are changed from those in IE6. Some new categories have been added and security tightened. Figures showing the settings are given.


Comparison of the settings for different Internet Explorer 7 security zones in Windows XP SP2
Settings for Internet Zone Settings for Trusted Zone Settings for Restricted Zone
ie7intzoner ie7trustzoner2 ie7restzoner3

ActiveX Errors

Background of ActiveX Controls

Before tackling ActiveX, I need to say just a little about the general way programs are designed these days. A lot of use is made of what the programmers call objects. These are individual modules designed to carry out specific tasks or functions. They can then be plugged into any program that has an interface set up to communicate with them. In this way, a set of objects can be used as building blocks to modify and augment a variety of programs. Thus, a single separate entity can provide functionality for many different programs. In this way, programs do not have to keep reinventing the wheel but can call on an object for implementing some particular procedures. Microsoft has been a leader in this way of doing things.

What ActiveX controls do

“ActiveX” is a name probably dreamed up by the marketing people at Microsoft. It has as much intrinsic meaning as “cougar” does for a make of automobile. It refers to a somewhat loosely defined group of methods developed by Microsoft for sharing information and functionality among programs. One of these technologies is called “ActiveX controls.” These are objects that are like small programs or “applets” and a number of Microsoft programs like Office and Internet Explorer (IE) are designed to be able to interact with them. An example is a spell checker. Since Word comes with a spell checker, other Microsoft programs such as Outlook Express can make use of it. In fact, any program with the appropriate interface can use this spell checker.

This built-in interactivity between various components and programs leads to greatly increased versatility and flexibility. Furthermore, programmers can easily create new ActiveX controls with Visual Basic , C++, and other programming languages. One place where ActiveX controls are very common is in Internet Explorer. An ActiveX control can be automatically downloaded and executed by Internet Explorer. Once downloaded, an ActiveX control in effect becomes part of the operating system. For example, IE cannot read PDF files by itself but can do so with an ActiveX control from Adobe. Similarly, IE needs a control to display Flash.

Security problems

The interactivity and ease of programming of ActiveX controls has a price and these controls are a major source of security problems. Sad to say, unscrupulous types have taken advantage of the ActiveX control technology to place malware on unwary computer users. A lot of spyware and adware is downloaded as ActiveX controls. Microsoft tightened up the security in Windows XP Service Pack 2 and then some more in Internet Explorer 7 but security issues remain. Careful attention to what you download and configuring the ActiveX settings in Internet Explore for greater safety will go a long way towards obviating problems. Support for ActiveX by Internet Explorer can be completely disabled but that breaks useful functions as well as blocking malware. For more details on the security settings for ActiveX in Internet Explorer see this table listing the different zone settings as well as a tutorial on configuring IE. ActiveX is a useful technology and the trick is to find the right balance between convenience and security that is appropriate to your usage patterns and technical skills.

Because of ActiveX problems, many security-conscious computer users are switching from Internet Explorer to browsers that do not support ActiveX such as Firefox, Opera, and Netscape. Go here for a discussion of what is involved in switching to the Firefox browser.

For a more benign view of ActiveX, see this article by Larry Seltzer.

ActiveX Errors

Background of ActiveX Controls

Before tackling ActiveX, I need to say just a little about the general way programs are designed these days. A lot of use is made of what the programmers call objects. These are individual modules designed to carry out specific tasks or functions. They can then be plugged into any program that has an interface set up to communicate with them. In this way, a set of objects can be used as building blocks to modify and augment a variety of programs. Thus, a single separate entity can provide functionality for many different programs. In this way, programs do not have to keep reinventing the wheel but can call on an object for implementing some particular procedures. Microsoft has been a leader in this way of doing things.

What ActiveX controls do

“ActiveX” is a name probably dreamed up by the marketing people at Microsoft. It has as much intrinsic meaning as “cougar” does for a make of automobile. It refers to a somewhat loosely defined group of methods developed by Microsoft for sharing information and functionality among programs. One of these technologies is called “ActiveX controls.” These are objects that are like small programs or “applets” and a number of Microsoft programs like Office and Internet Explorer (IE) are designed to be able to interact with them. An example is a spell checker. Since Word comes with a spell checker, other Microsoft programs such as Outlook Express can make use of it. In fact, any program with the appropriate interface can use this spell checker.

This built-in interactivity between various components and programs leads to greatly increased versatility and flexibility. Furthermore, programmers can easily create new ActiveX controls with Visual Basic , C++, and other programming languages. One place where ActiveX controls are very common is in Internet Explorer. An ActiveX control can be automatically downloaded and executed by Internet Explorer. Once downloaded, an ActiveX control in effect becomes part of the operating system. For example, IE cannot read PDF files by itself but can do so with an ActiveX control from Adobe. Similarly, IE needs a control to display Flash.

Security problems

The interactivity and ease of programming of ActiveX controls has a price and these controls are a major source of security problems. Sad to say, unscrupulous types have taken advantage of the ActiveX control technology to place malware on unwary computer users. A lot of spyware and adware is downloaded as ActiveX controls. Microsoft tightened up the security in Windows XP Service Pack 2 and then some more in Internet Explorer 7 but security issues remain. Careful attention to what you download and configuring the ActiveX settings in Internet Explore for greater safety will go a long way towards obviating problems. Support for ActiveX by Internet Explorer can be completely disabled but that breaks useful functions as well as blocking malware. For more details on the security settings for ActiveX in Internet Explorer see this table listing the different zone settings as well as a tutorial on configuring IE. ActiveX is a useful technology and the trick is to find the right balance between convenience and security that is appropriate to your usage patterns and technical skills.

Because of ActiveX problems, many security-conscious computer users are switching from Internet Explorer to browsers that do not support ActiveX such as Firefox, Opera, and Netscape. Go here for a discussion of what is involved in switching to the Firefox browser.

For a more benign view of ActiveX, see this article by Larry Seltzer.

Trusted Sites

How To Add Trusted Sites for Internet Explorer 7

If you are using the most recent version of Internet Explorer 10 or 11 please click here

For other internet browsers please click on the appropriate link bellow.

FireFox Browser User Guide 

Chrome Browser User Guide

As discussed on the previous page , increasing the security for the Internet security zone of Internet Explorer may break some reputable sites that you use regularly . The solution is to add these sites to the Trusted zone, which will restore their functionality. The procedures described here will work for either IE 6 oe IE 7. Open Internet Explorer and go to Tools-Internet Options-Security.

ieconfigure1r

Click the “Security” tab and choose the “Trusted Sites” icon.

ietrustedzone5

Then click on the button “Sites”. A window will open, where you can add any sites that you wish to be in the Trusted zone. Be sure to remove the check by the entry “Require server verification (https:)….”

ietrustedzone

Enter the site of interest in the line provided. Site URLs can be typed in directly or entered by copying and pasting. A shortcut method of copying and pasting an URL from the IE address bar is to use the keyboardcommand ALT+D to select the Web address and then use CTRL+C to copy it to the Windows Clipboard. Then right-click in the space under “Add this Web site to the zone” and choose “Paste” from the context menu. The example below shows the NY Times site being added. Note that it is not an https site and that the appropriate box is unchecked. After entering a site click the “Add” button.

ietrustedzone2

The site is now added to the list of trusted sites.

ietrustedzone3

Enter the next site and repeat the procedure.

ietrustedzone4

There is a “Remove” button (grayed out in the figure above), should you wish to take a site off the list.

Using wild cards

One disadvantage of using a complete URL like http://www.nytimes.com is that it can be too specific. For example, there are related addresses such as http://topics.nytimes.com and these will be treated as a separate URL. To place anything contained within the entire domain “nytimes.com” into the trusted zone, the asterisk wildcard can be used. An entry such as “*.nytimes.com” will put everything in the main domain into the trusted zone.

A shorter way

The above procedure can be tedious if you want to add a number of sites to the trusted zone. Fortunately, there is a quicker way. There is an old (unsupported) Internet 5 accessory from Microsoft called Power Tweaks that still works in both IE 6 and IE 7. It puts an entry into the Tools menu that allows any site that you are visiting to be added to the Trusted (or the Restricted) zone. It can be downloaded here.

Ransomware Guides

We are now dedicated in finding the latest ransomware threats. In 2016 alone worldwide they has been a growth of over 400% in ransomware infections. The latest threat that have encounter is Osiris file Ransomware.

Make Internet Explorer 6 Safer- Configure the Security Settings

Recommendations for Internet Zone

The Internet zone is where sites not specifically placed elsewhere are placed. Thus, the settings for this zone control most of the sites that you will go to on the Internet. Please be aware that increased security has a cost and that the settings given here will cause some sites to stop working properly. In particular, ActiveX and scripting have been disabled. Sites using these technologies will be crippled. This keeps the bad guys out but may interfere with one of your favorite sites. If a site is safe and is one that you use frequently , place it in the Trusted site zone, where ActiveX and scripting are enabled. Instructions on how to do that are on this page.

There are quite a few settings and the particular recommendations given in the table below are but one of many possible combinations. The recommended settings can be modified to suit a PC user’s particular pattern of surfing. Thus, you may wish to experiment to find a combination best for your own purposes. For example, many pages use scripts and you may wish to allow that. Also, it is a common practice for pages to use META REFRESH for redirection. It is also used by bad sites to trap your browser. I have left it enabled but you may wish to disable it.

The recommended settings below may not suit everybody and may even be irritating to some. Therefore, do not undertake to change anything on your computer unless you know how to get back to where you started.

Settings for Internet security zone in Internet Explorer 6
(Red background indicates settings found only in Windows XP SP2)
Category Setting Default Recommended
.NET Framework-reliant components (Not present in all systems) Run components not signed with Authenticode Enable Disable
Run components signed with Authenticode Enable Enable
ActiveX Controls and Plug-ins Download signed
ActiveX controls
Prompt Disable
Download unsigned
ActiveX controls
Disable Disable
Initialize and script
ActiveX controls not marked as safe
Disable Disable
Run ActiveX
controls and plug-ins
Enable Disable
Script ActiveX controls
marked safe for scripting
Enable Disable
Automatic prompting for ActiveX controls Disable Disable
Binary and script behaviors Enable Disable
Downloads File download Enable Enable
Font download Enable Disable
Automatic prompting for file downloads Disable Disable
Microsoft VM (only older systems) Java permissions High safety High safety
Miscellaneous Access data sources across domains Disable Disable
Allow META REFRESH Enable Enable
Display mixed content Enable Disable
Don’t prompt for client certificate selection when no certificates or only one certificate exists Disable Disable
Drag and drop or copy and paste files Enable Disable
Installation of desktop items Prompt Disable
Launching programs and files in an IFRAME Prompt Disable
Navigate sub-frames across different domains Disable Disable
Software channel permissions Medium safety Maximum safety
Submit nonencrypted form data Enable Enable
Userdata persistence Enable Disable
Allow scripting of Internet Explorer Webbrowser control Disable Disable
Allow script-initiated windows without size or position constraints Disable Disable
Allow Web pages to use restricted protocols for active content Prompt Disable
Open files based on content, not file extension Enable Enable
Use Pop-up Blocker Enable Enable
Web sites in less privileged web content zone can navigate into this zone Enable Disable
Scripting Active scripting Enable Disable
Allow paste operations via script Enable Disable
Scripting of Java applets Enable Prompt
User Authentication Logon Automatic logon only in Intranet zone Automatic logon only in Intranet zone

The settings can always be returned to the default values by using the “Default Level” button shown in the figure below

ieseczonedefaulta

Make Internet Explorer 6 Safer- Configure the Security Settings

Recommendations for Internet Zone

The Internet zone is where sites not specifically placed elsewhere are placed. Thus, the settings for this zone control most of the sites that you will go to on the Internet. Please be aware that increased security has a cost and that the settings given here will cause some sites to stop working properly. In particular, ActiveX and scripting have been disabled. Sites using these technologies will be crippled. This keeps the bad guys out but may interfere with one of your favorite sites. If a site is safe and is one that you use frequently , place it in the Trusted site zone, where ActiveX and scripting are enabled. Instructions on how to do that are on this page.

There are quite a few settings and the particular recommendations given in the table below are but one of many possible combinations. The recommended settings can be modified to suit a PC user’s particular pattern of surfing. Thus, you may wish to experiment to find a combination best for your own purposes. For example, many pages use scripts and you may wish to allow that. Also, it is a common practice for pages to use META REFRESH for redirection. It is also used by bad sites to trap your browser. I have left it enabled but you may wish to disable it.

The recommended settings below may not suit everybody and may even be irritating to some. Therefore, do not undertake to change anything on your computer unless you know how to get back to where you started.

Settings for Internet security zone in Internet Explorer 6
(Red background indicates settings found only in Windows XP SP2)
Category Setting Default Recommended
.NET Framework-reliant components (Not present in all systems) Run components not signed with Authenticode Enable Disable
Run components signed with Authenticode Enable Enable
ActiveX Controls and Plug-ins Download signed
ActiveX controls
Prompt Disable
Download unsigned
ActiveX controls
Disable Disable
Initialize and script
ActiveX controls not marked as safe
Disable Disable
Run ActiveX
controls and plug-ins
Enable Disable
Script ActiveX controls
marked safe for scripting
Enable Disable
Automatic prompting for ActiveX controls Disable Disable
Binary and script behaviors Enable Disable
Downloads File download Enable Enable
Font download Enable Disable
Automatic prompting for file downloads Disable Disable
Microsoft VM (only older systems) Java permissions High safety High safety
Miscellaneous Access data sources across domains Disable Disable
Allow META REFRESH Enable Enable
Display mixed content Enable Disable
Don’t prompt for client certificate selection when no certificates or only one certificate exists Disable Disable
Drag and drop or copy and paste files Enable Disable
Installation of desktop items Prompt Disable
Launching programs and files in an IFRAME Prompt Disable
Navigate sub-frames across different domains Disable Disable
Software channel permissions Medium safety Maximum safety
Submit nonencrypted form data Enable Enable
Userdata persistence Enable Disable
Allow scripting of Internet Explorer Webbrowser control Disable Disable
Allow script-initiated windows without size or position constraints Disable Disable
Allow Web pages to use restricted protocols for active content Prompt Disable
Open files based on content, not file extension Enable Enable
Use Pop-up Blocker Enable Enable
Web sites in less privileged web content zone can navigate into this zone Enable Disable
Scripting Active scripting Enable Disable
Allow paste operations via script Enable Disable
Scripting of Java applets Enable Prompt
User Authentication Logon Automatic logon only in Intranet zone Automatic logon only in Intranet zone

The settings can always be returned to the default values by using the “Default Level” button shown in the figure below

ieseczonedefaulta