Detections
Analytics
2.5 Set 'Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled' to 'Enabled'
Information
This policy setting prevents ActiveX controls from running in Protected Mode when
Enhanced Protected Mode is enabled. When a user has an ActiveX control installed that is
not compatible with Enhanced Protected Mode and a website attempts to load the control,
Internet Explorer notifies the user and gives the option to run the website in regular
Protected Mode. This policy setting disables this notification and forces all websites to run
in Enhanced Protected Mode.
Enhanced Protected Mode provides additional protection against malicious websites by
using 64-bit processes on 64-bit versions of Windows. For computers running Windows 8
and above, Enhanced Protected Mode also limits the locations Internet Explorer can read
from in the registry and the file system.
When Enhanced Protected Mode is enabled, and a user encounters a website that attempts
to load an ActiveX control that is not compatible with Enhanced Protected Mode, Internet
Explorer notifies the user and gives the option to disable Enhanced Protected Mode for that
particular website.
If you enable this policy setting, Internet Explorer will not give the user the option to
disable Enhanced Protected Mode. All Protected Mode websites will run in Enhanced
Protected Mode.
If you disable or do not configure this policy setting, Internet Explorer notifies users and
provides an option to run websites with incompatible ActiveX controls in regular Protected
Mode. This is the default behavior. The recommended state for this setting is- Enabled.
*Rationale*
Enhanced Protected Mode provides additional protection against malicious websites by
using 64-bit processes on 64-bit versions of Windows. For computers running Windows 8
and above, Enhanced Protected Mode also limits the locations Internet Explorer can read
from in the registry and the file system.
Solution
To establish the recommended configuration via Group Policy, set the following UI path toEnabled.
Computer Configuration\Administrative Templates\Windows Components\Internet
Explorer\Internet Control Panel\Advanced Page\Do not allow ActiveX controls to run in
Protected Mode when Enhanced Protected Mode is enabled
Impact-When Enhanced Protected Mode is enabled, and a user encounters a website that attempts
to load an ActiveX control that is not compatible with Enhanced Protected Mode, Internet
Explorer notifies the user and gives the option to disable Enhanced Protected Mode for that
particular website.
If you enable this policy setting, Internet Explorer will not give the user the option to
disable Enhanced Protected Mode. All Protected Mode websites will run in Enhanced
Protected Mode.
If you disable or do not configure this policy setting, Internet Explorer notifies users and
provides an option to run websites with incompatible ActiveX controls in regular Protected
Mode. This is the default behavior.
3 Browsing History
See Also
Item Details
Audit Name: CIS IE 11 v1.0.0
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-18(2)
Plugin: Windows
Control ID: fd94bb68e06f7f004f120873e1da6b9e2aafe522e03299844fbee523fcb135d5