8.3.12 Set 'Download signed ActiveX controls' to 'Enabled:Disable'

Information

*Description*

This policy setting allows you to manage whether users may download signed ActiveX
controls from a page in the zone. The recommended state for this setting is-
Enabled-Disable.


*Rationale*

Signed code is better than unsigned code in that it may be easier to determine its author,
but it is still potentially harmful, especially when coming from an untrusted zone.

Solution

To implement the recommended configuration state, set the following Group Policy setting
to Enabled.

Computer Configuration\Administrative Templates\Windows Components\Internet
Explorer\Internet Control Panel\Security Page\Restricted Sites Zone\Download signed
ActiveX controls\Download signed ActiveX controls

Then set the Download signed ActiveX controls option to Disable.

Impact-If you enable this policy, users can download signed controls without user intervention. If
you select Prompt in the drop-down box, users are queried whether to download controls
signed by untrusted publishers. Code signed by trusted publishers is silently downloaded.
If you Disable the policy setting, signed controls cannot be downloaded.

See Also

https://workbench.cisecurity.org/files/1516

Item Details

Audit Name: CIS IE 9 v1.0.0

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-18(3)

Plugin: Windows

Control ID: 42351160a69ad88aca7c116e2368ce382591eee32f6fa6831e4eac7aeb6c7534