Manage Learn to apply best practices and optimize your operations.

ActiveX opt-ins, information bar and cross-domain protection: Step 4

Trying to find out what's so special about IE7? Read up on the new security features present in IE7, and learn which of these features are user configurable.

ActiveX opt-ins

One of the most powerful tools that malware authors have had at their disposal is an ActiveX control. At one time, malware authors commonly developed malicious ActiveX controls and tried to trick their victims into installing them. Today, security features built into IE and into third-party anti-malware software greatly reduced the practice of installing malicious ActiveX controls.

A lot of people don't realize that there are a number of ActiveX controls built into IE6. Although these built-in controls are not malicious in and of themselves, they are frequently used as components in malware attacks.

In Internet Explorer 7, Microsoft disabled almost all of the built in ActiveX controls by default. If a Web site needs to use a control, Microsoft notifies the user through the information bar and has the option of enabling the control.

ActiveX controls can also be manually enabled or disabled through the Add-on Manager, which is accessible through Internet Explorer's Tools menu. As you can see in Figure C, the Add-on Manager allows you to manually enable or disable ActiveX controls individually.

Figure C: Add-on Manager allows you to enable or disable ActiveX controls individually.

The Information Bar

The Information Bar in IE6 notifies the user when Internet Explorer has taken action against a possible security exploit. One change made to the information bar in IE7 is that it is now color-coded. For example, if IE7 is absolutely confident in a site's identity because the site is using a high-assurance certificate, then the information bar is presented in green. On the other hand, if a site is a known phishing site, then the information bar is presented in red.

Another minor, but security-oriented change to the IE user interface is that all browser windows now contain an address bar. This helps prevent malicious pop-up windows from appearing to be part of a legitimate Web site.

These forms of protection are built in to IE7 and are non-configurable.

Cross-domain protection

One last non-configurable, behind the scenes security feature that I want to talk about is cross-domain barriers. In order to prevent malicious code from taking advantage of holes in poorly coded legitimate Web sites, IE7 and its cross-domain protection feature prevents scripts on a Web site from interacting with sites located at other domains.

Configuring IE7 security on Vista

 Home: Introduction
 Step 1: General security configuration
 Step 2: Phishing filter
 Step 3: Protection against international domain names, URL handling
 Step 4: ActiveX opt-ins, information bar and cross-domain protection
 Step 5: Windows Vista and IE7

Brien M. Posey, MCSE, MVP
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at Copyright 2006 TechTarget

Dig Deeper on Web browsers and applications

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.