Slashdot Mirror

← Back to Stories (view on slashdot.org)

Disabling IE Scripting in a Useful Manner?

Posted by Cliff on from the better-security-controls dept.

hwyguy2 asks: "Do any Slashdot readers have any insight or pointers on how companies deal with ActiveX in the IE browser? At the company I'm with, they have taken a conservative approach, and have the browser configured to only allow ActiveX to internal corporate servers and disallow it anywhere else. Of course, locking that down also locks things like javascript, which the company choses to prompt. This creates many practical problems and user frustrations. It also makes it a pain for programs that use ActiveX innocously (such as HoTMetal, which seems to like to use an Active X control to get an open file dialog box). Given the number of sites out there that now only work with IE (boo!), this tight configuration is getting harder and harder to support. Are there any good ways to address the ActiveX concerns (maybe filtering servers to block ActiveX or other mobile code concerns)?"

5 of 31 comments (clear)

  1. Proxomitron by jafuser · · Score: 5, Informative
    If you have the ability to install software on your computer, intall Proxomitron. It will let you filter out the activex stuff, so at least you won't get the annoying "This page may not be displayed correctly" prompt every time you get to an activex page that won't work due to your firewall.

    BTW, Proxomitron basically lets you apply regex-like filtering and search/replace to your incoming HTML, so it's useful for a *lot* of stuff.

    Google Search for Proxomitron

    --
    Please consider making an automatic monthly recurring donation to the EFF
  2. Cyberguard firewall by RupertJ · · Score: 2, Informative

    Cyberguard firewall products allow you to strip ActiveX/Java/JavaScipt/VBScript etc. Find them HERE

    WEBSweeper proxy is also a good product, find that HERE

  3. Trusted domains by cpex · · Score: 2, Informative

    Not that I like IE but trusted domains works pretty well. I assume that your employee's access the same few sites for work related purpose. My employer is a financial consultant so we have a several provider's web sites that we use to get client account information. I simply tell the browsers to trust thoses domain and be really strict everywhere else. If a user complains about 'why cant I see the trailer for the new movie', well the answer is you dont need to.

  4. Controlled ActiveX is possible by kawika · · Score: 5, Informative

    You can control the places where IE looks for ActiveX controls. The magic registry key is

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Int ernet Settings\CodeBaseSearchPath

    By default you will see CODEBASE in the registry value. That means if there is a CODEBASE parameter in the OBJECT tag on the web page, IE will use it if the correct control version is not installed. However, you can also remove CODEBASE from the string and set this path to a location on your own network, where you place only the small set of trusted ActiveX controls you want your company to use. No other controls will be loaded.

  5. RTFM by Hard_Code · · Score: 3, Informative

    ActiveX and JavaScript are seperate options in my IE:

    Tools...->Internet Options->Security->Custom Level...

    * Download signed ActiveX controls
    Disable Enable Prompt
    * Download unsigned ActiveX controls
    Disable Enable Prompt
    * Initialize and script ActiveX controls not marked as safe
    Disable Enable Prompt
    * Run ActiveX cotnrols and plug-ins
    Administrator approved Disable Enable Prompt
    * Script ActiveX controls marked as safe for scripting
    Disable Enable Prompt

    * Active Scripting (i.e. Javascript)
    Disable Enable Prompt
    * Allow paste operations via script
    Disable Enable Prompt
    * Scripting of Java applets
    Disable Enable Prompt

    --

    It's 10 PM. Do you know if you're un-American?