Information
*Description*
This policy setting controls whether or not the user is prompted to allow ActiveX controls
to run on Web sites other than the Web site that installed the ActiveX control. If you enable
this policy setting, the user will be prompted before ActiveX controls are permitted to run
from Web sites in this zone. Users may choose to allow the control to run from the current
site, or from all sites. If you disable this policy setting, the user will not see the per-site
ActiveX prompt and ActiveX controls will be allowed to run from all sites in this zone. The
recommended state for this setting is- Enabled-Enable.
*Rationale*
If the user were to disable the setting for the zone, malicious ActiveX controls could be
executed without the user's knowledge.
Solution
To implement the recommended configuration state, set the following Group Policy setting
to Enabled.
Computer Configuration\Administrative Templates\Windows Components\Internet
Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone\Only
allow approved domains to use ActiveX controls without prompt\Only allow approved
domains to use ActiveX controls without prompt
Then set the Only allow approved domains to use ActiveX controls without prompt
option to Enable.
Impact-Disabling this setting would allow the possibility for malicious ActiveX controls to be
executed from non-approved domains within this zone without the user's knowledge.