[Dshield] Filtering ActiveX

warpmedia warpmedia at comcast.net
Wed Sep 17 18:16:51 GMT 2003

<flame-suit value=on> =)

That or you can do what I've been doing for 4 years.

Create two additional IE zones, "Java" & "ActiveX". Set them up with 
limited Java and ActiveX+Java. Now take your Internet zone & disable 
everything script related.

When you need a site to access Java/ActiveX, just add it to the zone with 
enough features to do what you want. This also works in IE 6, but the 
additional zones will have screwed up descriptions in "Internet settings".

I further add to this by setting default protocols to zone "4" Restricted, 
enabling ability for URLs to be added back to a debilitated Internet zone, 
and using a program called ADIEFltr to facilitate the moving of URLs to 
proper zone on-the-fly.

Been meaning to do a write up this, just haven't found the time. Of course 
YMMV, this has not been stress tested and there are other vectors besides 
scripting enabled. Also, like cookie stealing, I'm sure there are ways to 
spoof you into other zones using M$ bugs (i.e. all the 
"spamdomain.com:asdf at victimdomain.com" links)  though I think the crippling 
& the restricted zone as default goes a long way.

Here's M$ own KB doc on IE Security Zones:


At 11:36 9/17/2003, Corinne Cook wrote:
>If you can get away with it, disabling it is probably easiest.
>But if you still have active scripting enabled, you're open to just as many
>threats if not more in the long run from what I can tell.
>If you have a Windows 2000 AD domain, you can set Group Policy for a lot of
>Internet Explorer settings.  Even if you don't have AD, you can do registry
>hacks that utilize the 4 zones (Internet, Intranet, Trusted Sites and
>Restricted Sites).  That way, you can tighten the Internet general settings
>and then just add a few sites, like Windows Update or an online banking
>site, if needed, to Trusted Sites and set those settings a little lighter.
>Unless you want to set these for each and every user of the machine, though,
>you'll want to add the registry hack that sets the Internet Explorer
>settings for the whole computer rather than per user.
>Just to keep in mind if you disable Active X, Active Scripting, or both,
>that even sites like webmail sites and Windows Update itself will not run if
>they are turned off for that zone, so you'll have to work around that if you
>disable it for all zones.

Joshua MacCraw
warpmedia at comcast.net

More information about the list mailing list