Blocking outdated ActiveX Controls

We’re going to be blocking outdated ActiveX controls in IE later today. Currently, folks will get the following dialog when a page tries to trigger an outdated (known vulnerable) ActiveX control:


After the change, users will not be offered the ‘Run this time’ choice. Users who need to run an old ActiveX control for some reason (e.g. a FDA app that only works with Java 7) can work around the restriction by adding the page to the Trusted Sites zone, or the Local intranet zone (both zones bypass the block by design).

Adding a site to Trusted Sites or Local intranet can be done through the Internet Options control panel:


If you are unable to add sites to zones (all the controls are greyed out), it means that their site assignment is centrally managed – we’ll need to update the GPO to square those folks away.

As part of this change, we’re also making a couple minor adjustments:

  • The “Internet Explorer – Compatibility Mode Auto Off for Intranet” GPO is being renamed to “Internet Explorer – Managed Settings” to indicate that it impacts more than one setting
  • We’re enabling ActiveX Control logging (off by default) so that we’ve got something to work with for troubleshooting, or so that the security office has something to work with if they have to investigate a PII compromise. Logs are located @ %LOCALAPPDATA%\Microsoft\Internet Explorer\AuditMode\VersionAuditLog.csv
Print Friendly, PDF & Email

Leave a Reply