8.6.2 Set 'Only allow approved domains to use ActiveX controls without prompt' to 'Enabled:Enable'

Information



This policy setting controls whether or not the user is prompted to allow ActiveX controls
to run on websites other than the website that installed the ActiveX control. If you enable
this policy setting, the user is prompted before ActiveX controls can run from websites in
this zone. The user can choose to allow the control to run from the current site or from all
sites. If you disable this policy setting, the user does not see the per-site ActiveX prompt,
and ActiveX controls can run from all sites in this zone. The recommended state for this
setting is- Enabled-Enable.

*Rationale*

If the user were to disable the setting for the zone, malicious ActiveX controls could be
executed without the user's knowledge.

Solution

To establish the recommended configuration via Group Policy, set the following UI path to
Enabled.

Computer Configuration\Administrative Templates\Windows Components\Internet
Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone\Allow only
approved domains to use ActiveX controls without promptThen set the Only allow approved domains to use ActiveX controls without prompt
option to Enable.

Impact-Disabling this setting would allow the possibility for malicious ActiveX controls to be
executed from non-approved domains within this zone without the user's knowledge.

See Also

https://workbench.cisecurity.org/files/1518

Item Details

Audit Name: CIS IE 11 v1.0.0

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-18(3)

Plugin: Windows

Control ID: fccd369a765c058dc273151e358014fd3b665da4f2a58ca42ea52a82caf19733