Home



Disable ActiveX How and Why

Part 1



Why Disable Active X ?

Because:

The simplest, most effective way to secure a computer is:
Disable Unnecessary
ActiveX Content.

But first, What is Active X?
ActiveX is a collection of programs that provides much of the interactive content seen on modern Web Sites. ActiveX allows a Web Site to load small programs on to your computer, providing a video viewer for example. Sometimes this is useful, but there is obvious abuse potential. Most people know it's a bad idea to run an unknown program from an unknown source, but thanks to ActiveX, just clicking on a link will do the same thing. Nowadays ActiveX is the source of many if not most Web viruses and spyware1. The best way to prevent this malware from entering your computer in the first place,is: disable Active X whenever feasible.

Minimal steps to disable Active X content

Open Windows Explorer:under tools choose Internet options.

1. Select Security from the tabs at the top, you will see (Fig 1):


Fig. 1: Internet Options-Security Tab


2. Choose Internet Zone

3.Set security slider to High. (If there is no slider hit Default then set the slider to High)

4 Make sure you hit apply. (At this point, you could return to the browser and your computer will probably never get a virus from the Web, but many sites will no longer work--you might try it as an experiment though. Most people will want to partially restore the functionality so go on to the next step—see endnote 2)

5. Go to Custom Level a Long scrolling list appears: Fig. 2 shows three sections of this list. Enable the three items shown2.


Fig. 2: Security Settings


Hit OK to exit; hit OK again to exit the Internet options box of Fig. 1 (The security slider will no longer be there). Close Internet Explorer then re-open it to make sure all settings take effect(you don't have to restart your computer);You can restore the default setting later if you choose: just hit the default button of fig 1.

Side effects of disabling ActiveX

The main side effect is that most on-line banking and shopping services, also the Microsoft update service will no longer work as “Internet zone” sites because they use activeX. To allow these sites to work, you must label them as “Trusted sites”. It is fairly easy to do this:
1. Again, open Windows Explorer under
tools chose Internet options,,,
2. Select Security from the tabs at the top.

This time however hit Trusted Sites and you will see(Fig 3):


Fig. 3: Internet Options Trusted Zone


Next hit the button labeled “Sites”; that takes you to a list of the “Trusted Sites”(Fig 4). If you haven't modified security settings before, the list will probably be empty. You must add three websites to this list to get Microsoft update to work:


Fig. 4: Trusted Sites List


Concerning the check box labeled “Requires server verification (https) for all sites in this zone:”: The https prefix on a site address means that the site uses a secure transmission mode suitable for banking etc. The Microsoft Update doesn't use this mode;you must clear the check box to add the Microsoft Update site addresses. After you have successfully added the Microsoft Update addresses, you may go back and restore the check box; this restricts future additions to the secure protocol. If you go to a website, say a banking site and you can't get it to work ,then open the Trusted Sites window(hit tools,Internet options...), Usually the site's address is already in the upper box of Fig 4 If not, then copy the websites address from the address bar and paste it to the “Add this website to the zone” box, It seems that all three of the entries in the “Websites box” are required for windows update to work.

The main pitfall is that several weeks from now you may open a site that contains activeX, the site won't work and you will tear your hair out trying to figure out why it doesn't work ; you forgot about the activeX being disabled(happens to me sometimes) You will just have to remember to check the banner at the top informing you that the activeX's don't work, then add the site to the trusted zone.

Sometimes you may have to go back to Fig 1 and temporarily reset the security slider to Medium high to get a download to work—Adobe Reader is one example they use too much activeX there. Just remember to restore the High security levels when through.

Another side-effect is that Adobe Flash player and other on-line media programs won't work unless you make the site trusted. You may go to a Television news channel website for example; there will be no video on the TV news viewers : only a misleading message saying something like::

“your Flash Player plugin is out of date;click here to download a new one”

It will do you no good to download a new flash player—the only cure is to enable activeX for that website. For that reason you will probably have to forget about sites like Utube unless you want to make them trusted—obviously a bad idea.

Another issue concerning certain internet flagging programs such as Norton 360.: These programs that flag internet sites with warnings about reported virus's will no longer post those warnings. That's because they use Active X to implement the feature:I don't know of a workaround for this so you will have to make a decision on whether to block active content as described here or not. Here's my opinion Active X blocking as described here does not affect the virus scanning and other features. I have Norton 360 installed on a computer with active X blocked as described here and don't miss the internet flags because (1):Google and other major search services do that anyway. (2) the feature can only report a malware issue after they have been discovered and reporteded(window of vulnerability). During this time of vulnerability computers worldwide will have been infected--maybe yours. I find it best to block the active content because that's the main malware portal these days.

1If you doubt the statement: type activex along with terms like virus,spyware,malware etc.into Google or Google News.(or any other search)

2Brief Explanation of the three items:
File download:
Enabling allows Web sites to download files at your request. You could disable but it's hard to use the Internet without file downloads, Fortunately, (unlike activeX)when you click on a file download a box appears asking open,run or save; that gives you a chance to think about it.
Submit non-encrypted form data:
This procedure occurs anytime you type into one of those little text boxes(the basic Google search for example) You could choose prompt but the prompts get very annoying. (if you choose disable, hardly anything works) Just remember: don't type sensitive information into any part of any website unless that website uses https and you trust that website.
Active Scripting (I had to think about this one):
Effectively, choosing
disable shuts down javascript(actually, it also shuts down activeX and a few other things but but we have already done that). Javascript is very widely used (Google Images won't work if you choose disable) and currently believed safe--as far as file security goes. It's possible however for a prankster to make your browser do strange things with javascript, and you never know what the hackers will come with next. (Many Web Pages display popup -like windows with this setting enabled—even with the ie8 popup blocker). As an experiment, you might try prompt;if you don't mind the constant prompting, then leave it that way.

Home







Disable ActiveX How and Why