Information
Allows applications to opt in to blocking new ActiveX controls and prevents installation of
updates for ActiveX controls that are not already installed. This Internet Explorer feature
control setting mitigates threats that can occur when an application programmatically uses
Internet Explorer functionality. The recommended state for this setting is- Enabled-True.
*Rationale*
Microsoft ActiveX controls allow unmanaged, unprotected code to run on the user
computers. ActiveX controls do not run within a protected container in the browser like
other types of HTML or Microsoft Silverlight-based controls.
Disabling or not configuring this setting does not block prompts for ActiveX control
installations and these prompts display to users. This could allow malicious code to become
active on user computers or the network.
Solution
To implement the recommended configuration state, set the following Group Policy setting
to Enabled.
Computer Configuration\Administrative Templates\Microsoft Office 2010
(Machine)\Security Settings\IE Security\Restrict ActiveX Install\Restrict ActiveX
Install
Then set the Restrict ActiveX Install- outlook.exe option to True.
Impact-For organizations that rely on ActiveX controls, using this setting may block the installation
or update of ActiveX controls.Note- This policy setting also blocks users from installing authorized legitimate ActiveX
controls that will interfere with important system components like Windows Update. If you
enable this policy setting, make sure to implement some alternate way to deploy security
updates, such as Windows Server Update Services (WSUS). For more information about
WSUS, see the Windows Server Update Services Product Overview page at
www.microsoft.com/windowsserversystem/updateservices/evaluation/overview.mspx.