Details
This policy setting controls whether or not the user is prompted to allow ActiveX controls
to run on websites other than the website that installed the ActiveX control. If you enable
this policy setting, the user is prompted before ActiveX controls can run from websites in
this zone. The user can choose to allow the control to run from the current site or from all
sites. If you disable this policy setting, the user does not see the per-site ActiveX prompt,
and ActiveX controls can run from all sites in this zone. The recommended state for this
setting is- Enabled-Enable.
*Rationale*
If the user were to disable the setting for the zone, malicious ActiveX controls could be
executed without the user’s knowledge.
Solution
To establish the recommended configuration via Group Policy, set the following UI path to
Enabled.
Computer ConfigurationAdministrative TemplatesWindows ComponentsInternet
ExplorerInternet Control PanelSecurity PageInternet ZoneAllow only approved
domains to use ActiveX controls without promptThen set the Only allow approved domains to use ActiveX controls without prompt
option to Enable.
Impact-Disabling this setting would allow the possibility for malicious ActiveX controls to be
executed from non-approved domains within this zone without the user’s knowledge.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Windows.