Comments on: Tip of the day: Protect yourself from unwanted ActiveX controls http://www.edbott.com/weblog/?p=623 Helping PC users make sense of Microsoft software since 1991 Fri, 20 Nov 2009 18:54:09 -0700 http://wordpress.org/?v=2.8.6 hourly 1 By: Bill http://www.edbott.com/weblog/?p=623&cpage=1#comment-1342 Bill Wed, 31 Dec 1969 17:00:00 +0000 http://www.edbott.com/wordpress/?p=623#comment-1342 what's the problem with setting "Download signed active-x controls" to prompt? Does that not always prompt? what’s the problem with setting “Download signed active-x controls” to prompt? Does that not always prompt?

]]> By: Ed Bott http://www.edbott.com/weblog/?p=623&cpage=1#comment-1343 Ed Bott Wed, 31 Dec 1969 17:00:00 +0000 http://www.edbott.com/wordpress/?p=623#comment-1343 The problem with setting "Download signed active-x controls" to prompt is that it creates the opportunity for someone who makes deceptive software to fool you into clicking Yes when you really, really don't want to. They might lie about what the program is really for, or they might catch you in a moment of weakness when you aren't paying attention and click the wrong button. It's an especially severe problem on computers that are used by multiple people. You might know how to avoid accidentally installing a piece of spyware, but your spouse or your kids might be more easily deceived. The most secure route, which this technique enables, is to make it difficult to install a new program. I would rather go through a few extra steps to install an ActiveX-based program I need than have to go through hours of cleanup to get rid of a spyware program that was installed through carelessness or deception. The problem with setting “Download signed active-x controls” to prompt is that it creates the opportunity for someone who makes deceptive software to fool you into clicking Yes when you really, really don’t want to. They might lie about what the program is really for, or they might catch you in a moment of weakness when you aren’t paying attention and click the wrong button. It’s an especially severe problem on computers that are used by multiple people. You might know how to avoid accidentally installing a piece of spyware, but your spouse or your kids might be more easily deceived.

The most secure route, which this technique enables, is to make it difficult to install a new program. I would rather go through a few extra steps to install an ActiveX-based program I need than have to go through hours of cleanup to get rid of a spyware program that was installed through carelessness or deception.

]]> By: Maven http://www.edbott.com/weblog/?p=623&cpage=1#comment-1344 Maven Wed, 31 Dec 1969 17:00:00 +0000 http://www.edbott.com/wordpress/?p=623#comment-1344 I don't have Internet Explorer on my XP_SP2 computer! I used nlite to remove both IE & Help files. I use the Corp version of XP, so no need for activation & i can always use 'xchm' to view CHM files. I don’t have Internet Explorer on my XP_SP2 computer! I used nlite to remove both IE & Help files. I use the Corp version of XP, so no need for activation & i can always use ‘xchm’ to view CHM files.

]]> By: Carl Siechert http://www.edbott.com/weblog/?p=623&cpage=1#comment-1345 Carl Siechert Wed, 31 Dec 1969 17:00:00 +0000 http://www.edbott.com/wordpress/?p=623#comment-1345 Ed's point about this setting being useful in a multiuser environment is a good one. But note that making the setting--whether you use the manual method or the script--affects only the user account that is currently logged on. Therefore, if you follow the sound practice of setting up different accounts for each member of your family, for example, you need to log on as each user whom you want to restrict and make the setting. Ed’s point about this setting being useful in a multiuser environment is a good one. But note that making the setting–whether you use the manual method or the script–affects only the user account that is currently logged on. Therefore, if you follow the sound practice of setting up different accounts for each member of your family, for example, you need to log on as each user whom you want to restrict and make the setting.

]]> By: Malcolm Miles http://www.edbott.com/weblog/?p=623&cpage=1#comment-1346 Malcolm Miles Wed, 31 Dec 1969 17:00:00 +0000 http://www.edbott.com/wordpress/?p=623#comment-1346 If you setup IE to read its security settings from HKEY_LOCAL_MACHINE, rather than HKEY_CURRENT_USER then you only need to make the change once for all users. Using the HKLM settings also prevent non-admins from changing the IE settings. To force IE to use the HKLM settings, add a DWORD value: Security_HKLM_only to HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings and set it to 1. Note that the IE interface will still display the non-active HKCU settings. <em>[Edited to eliminate awkward linebreaks - EB]</em> If you setup IE to read its security settings from HKEY_LOCAL_MACHINE, rather than HKEY_CURRENT_USER then you only need to make the change once for all users. Using the HKLM settings also prevent non-admins from changing the IE settings.

To force IE to use the HKLM settings, add a DWORD value:

Security_HKLM_only

to

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

and set it to 1.

Note that the IE interface will still display the non-active HKCU settings.

[Edited to eliminate awkward linebreaks - EB]

]]>