7.3 Set 'Restrict ActiveX Install' to 'Enabled' - (Reserved)

Information

*Description*

This policy setting provides the ability to block ActiveX control installation prompts for
Internet Explorer processes. The recommended state for this setting is- Enabled.

*Rationale*

Users often choose to install software such as ActiveX controls that are not permitted by
their organization's security policy. Such software can pose significant security and privacy
risks to networks.

Solution

To implement the recommended configuration state, set the following Group Policy setting
to Enabled.

Computer Configuration\Administrative Templates\Windows Components\Internet
Explorer\Security Features\Restrict ActiveX Install\Internet Explorer Processes

Impact-If you enable this policy setting, prompts for ActiveX control installations will be blocked
for Internet Explorer processes. If you disable this policy setting, prompts for ActiveX
control installations will not be blocked and these prompts will be displayed to users. Note-
This policy setting also blocks users from installing authorized legitimate ActiveX controls
that will interfere with important system components like Windows Update. If you enable
this policy setting, make sure to implement some alternate way to deploy security updates
such as Windows Server Update Services (WSUS). For more information about WSUS, see
the Windows Server Update Services Product Overview page at
www.microsoft.com/windowsserversystem/updateservices/evaluation/overview.mspx.

See Also

https://workbench.cisecurity.org/files/1516

Item Details

Audit Name: CIS IE 9 v1.0.0

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-18(3), CSCv6|3.1

Plugin: Windows

Control ID: 964868434b3cc40b3c7221351a1a9a935772c7ca9865ae1af0f837537417eac8