Beginning September 9, 2014, Internet Explorer will begin blocking out-of-date ActiveX controls. But, what do you do if you have applications that depend on older versions of plug-ins like Oracle Java or Adobe Flash? In this guide, I’ll show you how you can control, or even disable, ActiveX blocking in IE.
Avatar

Beginning September 9, 2014, Microsoft will begin blocking out-of-date ActiveX controls in Internet Explorer. This includes IE 8 through 11 in Windows 7 SP1/Server 2008+ and all versions of IE in Windows 8.x/Server 2012. Microsoft currently has old versions of Java slated as the first ActiveX controls to be blocked, but it stands to reason that old versions of other plug-ins, such as Flash, will show up in the near future.

This is great news on the security front, but it’s really bad news if you have to deal with older versions of ActiveX controls because of older applications, vendor support, or a change control process. Now, the good news: Microsoft has released updated Group Policy ADMX files for Internet Explorer 11 that include settings for ActiveX blocking.

If you’ve never had to update your ADMX files, go to the download and save the file to your local computer. Extract the contents of the .zip file and you should see inetres.adm (for Server 2003), inetres.admx (for Vista/Server 2008 and up), and the folders for each supported language.

Updated Internet Explorer ADMX files for controlling ActiveX blocking

Updated Internet Explorer ADMX files for controlling ActiveX blocking

Once you’ve extracted the files, copy the inetres.admx file and your language folder (en-us, in my case) to C:\Windows\PolicyDefinitions\ on your Group Policy Management station. (If you still need support for Server 2003, you’ll also need to copy the inetres.adm file.)

Next, we can start the Group Policy Management Console and access the updated policies. They are located in Computer or User Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > Add-on Management.

Updated Internet Explorer ActiveX blocking policies in the Group Policy Management Console

Updated Internet Explorer ActiveX blocking policies in the Group Policy Management Console

Disable ActiveX blocking for all sites

If you opt to completely disable ActiveX blocking, you can set the “Turn off blocking of outdated ActiveX controls for Internet Explorer” option to Enabled.

Policy SettingHelp Description
Turn off blocking of outdated ActiveX controls for Internet ExplorerThis policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls.If you disable or don’t configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls.For more information, see “Outdated ActiveX Controls” in the Internet Explorer TechNet library.

This is probably not the route you want to take since it is going to open you to attacks from Internet-based sites. If you can identify the sites your end users will need to access with older ActiveX controls, there’s a better option.

Disable ActiveX blocking for specific sites

If you can identify URLs of specific sites that need older ActiveX controls, you can Enable the “Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains” option and then list the URLs. The list supports fully-qualified domains (including wildcards), such as 4sysops.com or *.4sysops.com, intranet domains such as 4sysops, and file system paths such as file:///C:/apps/4sysops/index.htm.

Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains

Policy SettingHelp Description
Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domainsThis policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won’t be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:1. “domain.name.TLD”. For example, if you want to include *.contoso.com/*, use “contoso.com”.2. “hostname”. For example, if you want to include http://example, use “example”.3. “file:///path/filename.htm”. For example, use file:///C:/Users/contoso/Desktop/index.htm.

If you disable or don’t configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone.

For more information, see “Outdated ActiveX Controls” in the Internet Explorer TechNet library.

Personally, I like this option a lot better since I can whitelist domains owned by my organization as well as third-party “cloud” applications that aren’t hosted in one of our data centers.

Completely block old ActiveX controls

By default, end users will still have the option of bypassing the warning by clicking the “Run this time” button. If you don’t want end users having the option of bypassing the warning, you can enable the “Remove ‘Run this time’ button for outdated ActiveX controls in Internet Explorer” policy to completely prevent the outdated ActiveX control from running.

Policy SettingHelp Description
Remove “Run this time” button for outdated ActiveX controls in Internet ExplorerThis policy setting allows you to stop users from seeing the “Run this time” button and from running specific outdated ActiveX controls in Internet Explorer.If you enable this policy setting, users won’t see the “Run this time” button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control.If you disable or don’t configure this policy setting, users will see the “Run this time” button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once.For more information, see “Outdated ActiveX Controls” in the Internet Explorer TechNet library.

Logging ActiveX controls

Microsoft has also included new functionality that logs information about ActiveX controls, such as the URL that ran the control and whether it was blocked or not. You can enable this feature in the “Turn on ActiveX control logging in Internet Explorer” policy setting. The log is written to %LOCALAPPDATA%\Microsoft\Internet Explorer\AuditMode\VersionAuditLog.csv and includes the Source URI, file path, version of the ActiveX control, file version, whether the ActiveX control was allowed or blocked, and the reason the file was allowed or blocked.

Policy SettingHelp Description
Turn on ActiveX control logging in Internet ExplorerThis policy setting determines whether Internet Explorer saves log information for ActiveX controls.If you enable this policy setting, Internet Explorer logs ActiveX control information (including the source URI that loaded the control and whether it was blocked) to a local file.If you disable or don’t configure this policy setting, Internet Explorer won’t log ActiveX control information.Note that you can turn this policy setting on or off regardless of the “Turn off blocking of outdated ActiveX controls for Internet Explorer” or “Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains” policy settings.For more information, see “Outdated ActiveX Controls” in the Internet Explorer TechNet library.
1 Comment
  1. Avatar
    Abid 9 years ago

    I have imported .adm file for AD2003/2008 but still couldn’t see “Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains”

    Any suggestions ?

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account