Per-Site ActiveX Controls

  • Article

Windows Internet Explorer 8 allows greater control of where and under what context Microsoft ActiveX controls can run. In this version of Windows Internet Explorer, ActiveX controls that are embedded as Web objects are presented to the user as add-ons. Through the new Manage Add-ons dialog box, the registry, or site-locking technology (such as the SiteLock ATL Template), these add-ons can be restricted for use on specific Web sites.

This topic contains the following sections:

  • Overview
  • Compatibility with Internet Explorer 7
  • Feature Details
    • Improvements in Internet Explorer 8
    • Per-Site Control: A User Perspective
    • Per-Site Control: An IT Professional Perspective
    • Per-Site Control: A Developer Perspective
  • Code Samples
    • Registry Scripts for Predetermined Per-Site Settings
    • SiteLock for ActiveX Controls Template
  • Related topics

Overview

When an add-on is implemented on a Web site, the Information bar lets users allow an ActiveX control to run on all Web sites or only the current one. Users can easily make changes to this behavior through the Manage Add-ons dialog box. As in Windows Internet Explorer 7, certain common controls (such as Adobe Flash) will initially be permitted to run on all Web sites in order to maintain an ideal user experience.

Compatibility with Internet Explorer 7

End-user and enterprise-administrator control of per-site ActiveX will work on Internet Explorer 8 and later. In previous versions of Internet Explorer, only ActiveX developers could apply per-site control. For more information on developing controls with per-site control for Internet Explorer 7, please refer to SiteLock template for ActiveX controls.

Feature Details

Improvements in Internet Explorer 8

Internet Explorer 8 Beta 1 for Developers Internet Explorer 8 Beta 1 for Developers implements per-site ActiveX as another tool that allows users to do their part in protecting the integrity of PCs. Building on developer-only SiteLock technology, the per-site control in Internet Explorer 8 Beta 1 for Developers introduces a triple defense against compromise by involving three major actors in the process.

Per-Site Control: A User Perspective

When a user navigates to a Web site containing an ActiveX control, Internet Explorer 8 Beta 1 for Developers makes a series of checks to see whether that control has permission to run. If the use of the control is in question, the user is notified through an Information bar that the control wants to run, as shown in the following screen shot.

When users click this Information bar, a context menu is presented to them, as shown in the following screen shot. Users can then elect to allow the control for a specific Web site, allow the control for all Web sites, disallow the control, or get more information about the prompt.

If a user elects to allow a control—either in the context of an individual page or for all Web sites visited—a second confirmation approval prompt appears, as shown in the following screen shot. This gives the user a final choice on whether to run the script.

Per-Site Control: An IT Professional Perspective

IT Professionals administering a system of computers running Internet Explorer 8 may choose to preset allowed controls and their associated domains. Such settings can be implemented in Microsoft Active Directory systems and Group Policy implementations. Allowed domains and controls are stored in the HKEY_CURRENT_USER hive along the following path:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CLSID}\iexplore\AllowedDomains\{DOMAIN | *}

{CLSID} represents the class identifier (CLSID) of a control in question, and {DOMAIN | *} represents the domains allowed to run the specified control (where * represents all domains). A registry file for use in Group Policy implementations can be found in the Code Samples.

Per-Site Control: A Developer Perspective

ActiveX controls can implement their own per-site control with the SiteLock template for ActiveX controls. SiteLock uses the IObjectSafety interface introduced in Microsoft Internet Explorer 5 to determine the Web sites on which controls are allowed to run.

Code Samples

Registry Scripts for Predetermined Per-Site Settings

The following registry script allows a control to run on all domains. An IT Professional could push these settings to individual or multiple computers. Replace CLSID with the CLSID of the ActiveX control.

 Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CLSID}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CLSID}\iexplore] 
"Count"=dword:00000002 
"Flags"=dword:00000004 
"Type"=dword:00000001 
"Time"=hex:d8,07,01,00,02,00,0f,00,12,00,31,00,1c,00,4e,03

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CLSID}\iexplore\AllowedDomains]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CLSID}\iexplore\AllowedDomains\*]

The following script demonstrates how to allow an ActiveX control to run on msn.com and microsoft.com.

 Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CLSID}\iexplore\AllowedDomains]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CLSID}\iexplore\AllowedDomains\msn.com]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CLSID}\iexplore\AllowedDomains\microsoft.com]

SiteLock for ActiveX Controls Template

A C++ code demonstration of SiteLock for ActiveX controls properly implementing ATL can be found here.

Non-Admin ActiveX Controls