8.3.21 Set 'Download unsigned ActiveX controls' to 'Enabled:Disable'

Information



This policy setting allows you to manage whether users may download unsigned ActiveX
controls from the zone. The recommended state for this setting is- Enabled-Disable.

*Rationale*

Unsigned code is potentially harmful, especially when coming from an untrusted zone.

Solution

To establish the recommended configuration via Group Policy, set the following UI path to
Enabled.

Computer Configuration\Administrative Templates\Windows Components\Internet
Explorer\Internet Control Panel\Security Page\Restricted Sites Zone\Download unsigned
ActiveX controlsThen set the Download unsigned ActiveX controls option to Disable.

Impact-
If you enable this policy setting, users can run unsigned controls without user intervention.
If you select Prompt in the drop-down box, users are queried to choose whether to allow
the unsigned control to run. If you disable this policy setting, users cannot run unsigned
controls. If you do not configure this policy setting, users cannot run unsigned controls.

Default Value-Disabled

See Also

https://workbench.cisecurity.org/files/1518

Item Details

Audit Name: CIS IE 11 v1.0.0

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-18(3)

Plugin: Windows

Control ID: 8382019951e2239b6645b3b378d4a015b5f1fa373c7e0c586f70f0b5b2bf8908