Disabling IE Scripting in a Useful Manner?

hwyguy2 asks: "Do any Slashdot readers have any insight or pointers on how companies deal with ActiveX in the IE browser? At the company I'm with, they have taken a conservative approach, and have the browser configured to only allow ActiveX to internal corporate servers and disallow it anywhere else. Of course, locking that down also locks things like javascript, which the company choses to prompt. This creates many practical problems and user frustrations. It also makes it a pain for programs that use ActiveX innocously (such as HoTMetal, which seems to like to use an Active X control to get an open file dialog box). Given the number of sites out there that now only work with IE (boo!), this tight configuration is getting harder and harder to support. Are there any good ways to address the ActiveX concerns (maybe filtering servers to block ActiveX or other mobile code concerns)?"

Need more info

[Jerf]

We'd really need more info to answer this.

Are there any ActiveX controls you actually need, or are you just covering your bases by allowing ActiveX inside the company?

What do you need that Mozilla doesn't do?

Why not use Netscape 7 for external access, possibly with the pop-up blocking enabled, and IE for internal use only? Given the continuous security problems found in IE anyhow, using IE on the external internet is a liability anyhow.

Re:Need more info

[Graelin]

What do you need that Mozilla doesn't do?

Render pages correctly?

Filly support DOM?

Load quickly?

Support Active-X? :)

Feel solid and dependable?

Of course, I'm picky. ;)

Re:Need more info

[Jerf]

Which Mozilla are you using? At this point, except for the obvious Active-X, it's advantage Moz for all of those.

(Watch your definition of "correctly": Too many pages code IE-specific and often incorrect HTML. IE is forgiving, because it has to read the amazingly crappy HTML Office generated for a long time. (In later versions of office, the HTML became cleaner, at the cost of becoming almost entirely illegible.) The correct thing to do on those pages is "something wierd"... IE meets this spec by attempting to read the mind of the designer, especially one steeped in the Microsoft way. Moz doesn't try, it expects the designer to do things correctly. In the long run, the latter works much much better. IE hides bugs, and then pow, you're hit with some small change that suddenly it can't handle... been here, done this, too many times.)

Re:Need more info

[jon+doh!]

Moz doesn't try, it expects the designer to do things correctly.

i don't think that's completely true. i've found that netscape would always bomb out when i forgot a tag or something like that, but mozilla and IE both guessed what i should have put there, and did it for me. only reason i test my pages with netscape is cause i know for sure it'll catch most of the crap i usually forget anyway, even when it looks fine in IE/mozilla.

i could be wrong though..

That icon sucks

You need to do a better job smoothing the edges. An IE 6 icon would probably look a bit sexier, too.

Re:That icon sucks

It's just because the image have the wrong size.

Pick One

[baldass_newbie]

Security
Functionality

Guess which side of the fence ActiveX is on.
There isn't an easy answer that isn't going to be flippant.

Re:Pick One

I've been saying for years... this is as designed. The monopolist wants you to get frustrated and throw your hands up in the air if you try and choose settings they don't want you to use. After all, why wouldn't you want to use ActiveX?

Proxomitron

[jafuser]

If you have the ability to install software on your computer, intall Proxomitron. It will let you filter out the activex stuff, so at least you won't get the annoying "This page may not be displayed correctly" prompt every time you get to an activex page that won't work due to your firewall.

BTW, Proxomitron basically lets you apply regex-like filtering and search/replace to your incoming HTML, so it's useful for a *lot* of stuff.

Google Search for Proxomitron

Re:Proxomitron

[orthogonal]

Yeah, what he said.

Seriously, Proxomitron's the way to go. You could even filter on the name of activeX objects.

Install Proxomitron on your company's servers, or on individual PCs.

Re:Proxomitron

[Black+Parrot]

> BTW, Proxomitron basically lets you apply regex-like filtering and search/replace to your incoming HTML, so it's useful for a *lot* of stuff.

Can you come up with a regex that will filter out the pix of porkers and jailbait, and let everything else through?

Thanx

In case you haven't tried it recently, ...

[mellon]

Try Mozilla again. I've removed Internet Explorer from my system, and I have no regrets. I still run into the occasional incompatibility, but no showstoppers. The one inconvenience is that some advertising pops up in the wrong place. Personally, I'm willing to live with it, but of course your milage may vary... :'}

Disallow ALL activeX

[haplo21112]

Its just easier and you can give your users a blanet this is always true policy. If you have internal web sites that use activeX controls, tell them to get off theier ass and become real programmers and do everything server side, instead of client side!

Re:Disallow ALL activeX

[Graelin]

Just so you know, some things should be done client side. Some things like OpenGL presentations, video conferencing apps, any kind of dynamically updated / interactive graphical interface. Even the sorting / limiting of a large dataset. These are all better to be done on the client. Why don't you become a real programmer and learn what the client / server architecture is all about?

Re:Disallow ALL activeX

[Istealmymusic]

Why don't you become a real programmer and use OpenGL in JavaScript?

Re:Disallow ALL activeX

[Gaijin42]

Limiting of a large data set most certainly should not be done client side, because you are sending down a ton of data that is by denefinition not wanted. Cull on the server side, or better yet, right inside the DB. thats what indexes are for!

Do you really want to solve this problem?

[dpilot]

Isn't a more correct answer to keep the restrictions? Perhaps what you really need is an internal support site that outlines the causes of problems with web browsing. Mention that ActiveX is not really standard, and that it's filtered because it's a security exposure. Add the fact that they can usually give feedback to webmaster@wherever, especially for the needless and trivial uses of ActiveX and other non-portable features.

Of course this depends on your feelings about the continuing degeneration of the Web into a captive Microsoft experience. You question was about "safely" accomodating this trend inside your company.

Re:Do you really want to solve this problem?

No, ActiveX is a standard, it's just a proprietary one. Just because W3C, ANSI or IEEE doesn't bless something doesn't mean it isn't a standard. Given that there are more IE users than anything else, ActiveX support is one of the most widely available mechanisms out there.

I'm not saying it's good or bad -- MS has definitely made some major mistakes relating to ActiveX in the browser -- but you can't brush it off as not being a standard.

The sad part is, it wouldn't really be that hard for MS to give people the right options to make it securely usable. Instead they provide this random hodgepodge of vaguely-described settings. I sure hope Mozilla performance improves, I'm starting to get tired of IE, and moz is looking like the first real contender in terms of reliability, features, and basic usability.

Posted anonymously, because I'm sure somebody will just mod me as a troll. Sigh.

Re:Do you really want to solve this problem?

[dpilot]

I'd argue that it's not really a standard until a third party can read the documentation and implement their own. Until then, it just looks, walks, and quacks like a standard, but really isn't one.

Cyberguard firewall

[RupertJ]

Cyberguard firewall products allow you to strip ActiveX/Java/JavaScipt/VBScript etc. Find them HERE

WEBSweeper proxy is also a good product, find that HERE

Trusted domains

[cpex]

Not that I like IE but trusted domains works pretty well. I assume that your employee's access the same few sites for work related purpose. My employer is a financial consultant so we have a several provider's web sites that we use to get client account information. I simply tell the browsers to trust thoses domain and be really strict everywhere else. If a user complains about 'why cant I see the trailer for the new movie', well the answer is you dont need to.

Most of us...

[Wakko+Warner]

...usually just wait for Code Red or Nimda to take care of IE scripting for us... that gives us all the ActiveX we need!

- A.P.

Controlled ActiveX is possible

[kawika]

You can control the places where IE looks for ActiveX controls. The magic registry key is

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Int ernet Settings\CodeBaseSearchPath

By default you will see CODEBASE in the registry value. That means if there is a CODEBASE parameter in the OBJECT tag on the web page, IE will use it if the correct control version is not installed. However, you can also remove CODEBASE from the string and set this path to a location on your own network, where you place only the small set of trusted ActiveX controls you want your company to use. No other controls will be loaded.

Remember that there is often more than one way...

[Futurepower(R)]

Remember that there is often more than one way to do things. When you use Proxomitron to filter, be sure that you aren't giving away the information you are trying to keep private through another route, such as Javascript, for example. Make sure that your Proxomitron filters are thorough.

I like Proxomitron, but I would feel much better if it were open source. There is a big, big need for an open source program like Proxomitron.

Proxomitron's author is a truly smart guy.

[Futurepower(R)]

Someone has provided links to other software that (apparently) does what Proxomitron does. However, it is closed source also; so you have no way of assuring yourself that you are truly secure.

If you have to choose between closed source programs, let me say that my experience with Proxomitron has been excellent. Proxomitron's author is a truly smart guy. Don't be put off by the weird colors and Proxomitron's reporting your browser as "Space Bison"; you can change those things during configuration.

Sometimes, the best thing is to do nothing.

[Futurepower(R)]

I agree. One thing I love about Mozilla is its absolutely perfect way of handling ActiveX. *grin*

Re:Sometimes, the best thing is to do nothing.

[mellon]

Indeed. Sorry I didn't make that explicit. :'}

RTFM

[Hard_Code]

ActiveX and JavaScript are seperate options in my IE:

Tools...->Internet Options->Security->Custom Level...

* Download signed ActiveX controls
Disable Enable Prompt
* Download unsigned ActiveX controls
Disable Enable Prompt
* Initialize and script ActiveX controls not marked as safe
Disable Enable Prompt
* Run ActiveX cotnrols and plug-ins
Administrator approved Disable Enable Prompt
* Script ActiveX controls marked as safe for scripting
Disable Enable Prompt

* Active Scripting (i.e. Javascript)
Disable Enable Prompt
* Allow paste operations via script
Disable Enable Prompt
* Scripting of Java applets
Disable Enable Prompt

here's some info

look at 98lite.net (not 98lite.com)

makes everything a installable/unistallable option.

Watch out for the nitwits who try to reinstall IE via download. That really fuxxors things. But if your employer cared about this, she wouldn't be bothering with Win95/98/XP/whatever.

IE == ActiveX

[Nailer]

IE is ActiveX. Look at the size of IEXPLORE.EXE. Do you think Microsoft managed to fit an entire modern web browser into a few hundred K? IEXPLORE is an ActiveX control that does little more than call other ActiveX controls, for displaying HTML, running J(ava)script, etc. If you're wondering why its so hard to lock down ActiveX entirely, its because that's all IE is.

Sonicwall

[dousette]

With a Sonicwall PRO series firewall, it is possible to specify a list of "trusted domains" to allow ActiveX to.