8.1.16 Set 'Only allow approved domains to use ActiveX controls without prompt' to 'Enabled:Enable'

Information

*Description*

This policy setting controls whether or not the user is prompted to allow ActiveX controls
to run on Web sites other than the Web site that installed the ActiveX control. If you enable
this policy setting, the user will be prompted before ActiveX controls are permitted to run
from Web sites in this zone. Users may choose to allow the control to run from the current
site, or from all sites. If you disable this policy setting, the user will not see the per-site
ActiveX prompt and ActiveX controls will be allowed to run from all sites in this zone. The
recommended state for this setting is- Enabled-Enable.

*Rationale*

If the user were to disable the setting for the zone, malicious ActiveX controls could be
executed without the user's knowledge.

Solution

To implement the recommended configuration state, set the following Group Policy setting
to Enabled.

Computer Configuration\Administrative Templates\Windows Components\Internet
Explorer\Internet Control Panel\Security Page\Internet Zone\Only allow approved
domains to use ActiveX controls without prompt\Only allow approved domains to use
ActiveX controls without prompt

Then set the Only allow approved domains to use ActiveX controls without prompt
option to Enable.

Impact-Disabling this setting would allow the possibility for malicious ActiveX controls to be
executed from non-approved domains within this zone without the user's knowledge.

See Also

https://workbench.cisecurity.org/files/1516

Item Details

Audit Name: CIS IE 9 v1.0.0

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-18(3)

Plugin: Windows

Control ID: c8df671519eab61ff4ff591ee6615458bd5d007e0e1e1787ea52bb8025c55a24