WARNING: The following tip contains script code that makes changes to your Windows registry. Although I have tested this script and believe it performs as described, I am not responsible for any damage that may occur to your computer if you choose to download and run this script.
The single biggest security flaw in Internet Explorer is its capability to download and run ActiveX controls. This feature is a double-edged sword. When used properly, ActiveX controls greatly expand the power of Internet Explorer. Unfortunately, the developers of spyware, adware, and other forms of crapware figured out long ago that ActiveX is a great way to sneak unwanted programs onto an unsuspecting user’s computer.
So how do you protect yourself? You could disable ActiveX programs completely. But when you do so, you cut off access to the good along with the bad. A better approach is the one that Carl Siechert and I came up with in Microsoft Windows Security Inside Out: Configure Internet Explorer so that existing ActiveX programs run as expected, but disable the ability to download new controls from any site in the Internet zone (sites in the Restricted zone are always blocked, and sites that you specifically place in the Trusted Sites zone are unaffected by this change). This configuration change makes it impossible for a Web site to push spyware/adware/crapware onto your machine. The beauty of this technique is that it doesn’t allow you (or an unsophisticated user on your computer) to be fooled into clicking Yes when you should click No. It stops new ActiveX controls cold.
In the rest of this article, I explain two ways to make this change: one that requires a series of manual steps, a second that runs automatically, using a simple script file. Note that I have only tested this script with Windows XP Service Pack 2. It will probably work with other versions of Windows, but I can’t guarantee it and don’t recommend using the script on any other Windows version. Oh, and this security tip is worth following even if you normally use Firefox as your default browser. Programs like Windows Media Player can call up Internet Explorer when you least expect it. If you’ve blocked unwanted ActiveX installations, they can’t do any damage.
The manual technique requires making a series of changes on the Security tab of the Internet Explorer Options dialog box. Here’s how:
- Close all copies of Internet Explorer and open Control Panel.
- Double-click Internet Options.
- In the Internet Properties dialog box, click the Security tab, select the Internet icon from the list of available zones, and click Custom Level.
- Scroll down the list to the ActiveX controls and plug-ins section. Change the Download signed ActiveX controls setting to Disable.
- Verify that all other settings in this section are as follows:
- Automatic prompting for ActiveX controls – Disable
- Binary and script behaviors – Enable
- Download signed ActiveX controls – Disable
- Download unsigned ActiveX controls – Disable
- Initialize and script ActiveX controls not marked as safe – Disable
- Run ActiveX controls and plug-ins – Enable
- Script ActiveX controls marked safe for scripting – Enable
The next time you visit a site that tries to install an ActiveX control on your computer, you’ll see the following message in the Information Bar just above the contents of the page itself:
If this is a control you want to install, you’ll have to reverse the steps above to enable downloading of ActiveX controls. After you’ve installed the control, you can disable ActiveX downloads again.
If you’d prefer a more automated approach, Carl and I have created a simple script file that will appear in our forthcoming update to Microsoft Windows Security Inside Out. You can download the script file, which is contained in a compressed Zip file, or copy and paste the text into your own script file. Download the compressed file from this link or view the script text from this link. Extract the ActiveX_toggle.vbs file to a convenient location, such as the desktop, and double-click the file icon to run the script. The script displays two dialog boxes. The first displays your current ActiveX security settings for the Internet zone:
After you click OK, the second dialog box allows you to change the current setting:
Click Yes to allow ActiveX controls to be downloaded (you will always be prompted for permission before a download takes place). Click No to disable downloads. Click Cancel to leave your current settings in place.
You can run this script any time. Note that you must be logged on as an Administrator to run the script; it will fail if you are logged on as a standard user. Also, some antivirus programs may display a warning (or just fail to run the script, without any notice) when you attempt to run any script written in JScript or VBScript. In its default settings, Microsoft AntiSpyware attempts to block most scripts as well. This is reasonable behavior, because bad guys have been known to use scripts to install unwanted software or tamper with your system settings. If this script won’t run on your computer, look at the settings for your antivirus or antispyware software to see what you need to do to make it work properly.
Update: I added some text to the introduction to make it clear that this change affects sites in the Internet zone, which by default includes all sites. It does not affect downloads from any site that you designate as being in the Trusted Sites zone or the Restricted Sites zone.
Update 2: As Carl points out in the comments, this script works on a per-user basis. For maximum security, you must log on and run the script for each account on your computer.