none
ActiveX control installation from Trusted Sites

    Question

  • This question relates to IE 8 running on Windows 7 x64 (but x86 ver of IE is running)

    I would like to allow signed ActiveX controls to be installed automatically from Trusted sites even when a non administrative user is logged in.

    At the start, when launching our in-house web site, I was getting a User Account Control message with the name of the signed ActiveX control that wants to install along with a prompt to enter admin credentials.  In researching the problem and solution, I found that I needed to modify a GPO that applies to the workstation.  I modified the policy "ActiveX installation policy for sites in Trusted zones" and set it to enabled and Trusted Pub=Silently, Signed = Silently, and unsigned = Prompt.

    I then rebooted the computer.  After doing this, the UAC prompt is still appearing, but the text of the message has changed.  Now, instead of listing the ActiveX control that wants to install, it says "Internet Explorer Add-on Instraller" publisher "Microsoft Windows" origin "Hard drive on this computer" with the CLSID {BDB57FF2-79B9-4205-94470F5FR85F37312}.

    If I go back and "not configured" the GPO policy, it switches back to prompting with the name of the actual ActiveX control.

    How do I get it so that ActiveX controls are allowed to install from trusted sites without prompting?



    Monday, June 13, 2011 9:34 PM

Answers

  • I am having the same issue - the site shows as a Trusted Site, yet the Trusted Zones policy for ActiveX Installer Service is not functioning.  This is for a UAG site downloading the Endpoint Component Manager, the UAC prompt comes up for Internet Explorer Add-on Installer.  The Microsoft Windows Certificate does have an expired date on it - which surprises me as it is the standard UAG software.

    So any tricks for Trusted Sites and the ActiveX Installer Service?

    Okay I think I got this working - reread the Microsoft instructions on AXIS and found the following notes:

    Configuring the ActiveX installation policy for the Trusted sites zone

    You can add Web sites that are trusted by your organization to the Trusted sites zone to enable them to be able to install ActiveX controls without requiring administrator approval. Sites in the Trusted sites zone can be specified with wildcard characters in combination with a subdomain; for example, adding the Web site https://*.contoso.com to the Trusted sites zone and then configuring the ActiveX installation policy for sites in Trusted zone policy setting would enable all Web sites in the contoso.com domain to install ActiveX controls onto computers in your organization. This can be useful if you have multiple trusted forests in your organization.

    To use this policy setting, you must also have enabled the Security Zones: Use only machine settings policy setting under Computer Configuration\Administrative Templates\Windows Components\Internet Explorer and populated the list of trusted sites that you will deploy by Group Policy in the Site to Zone Assignment List policy setting under Computer Configuration\Administrative Templates\Internet Explorer\Internet Control Panel\Security Page.

    So, what I was missing was the Use only machine settings, and the Site to Zone Assignment List policy setting.  After Adding those it appears to be working.

    • Proposed as answer by RogueWave24 Thursday, July 28, 2011 10:18 PM
    • Unproposed as answer by RogueWave24 Thursday, July 28, 2011 10:18 PM
    • Proposed as answer by RogueWave24 Thursday, July 28, 2011 10:18 PM
    • Marked as answer by ToddMiller Monday, August 01, 2011 3:20 PM
    Thursday, July 28, 2011 8:44 PM
  • I don't know if this is the answer, but I was able to get this to work right if I specified the web site directly in the other policy in the ActiveX Installer Service area - "Approved Installation Sites dor ActiveX controls"

    I did not get it to work correctly from the "ActiveX installation policy for sites in Trusted zones" (Yes, I am sure the web site is in Trusted sites - it shows correctly in the status bar in the browser)

    It is OK.  It will be more work to specify individual sites to "trust" ActiveX controls, but it is probably more secure than trusting everything in Trusted Sites for ActiveX automated installation. 

    Still would like to find out why the "Trusted zones" policy is not operating for me as advertised, but now it is just a curriousity.

    Tuesday, June 14, 2011 2:30 PM

All replies

  • I don't know if this is the answer, but I was able to get this to work right if I specified the web site directly in the other policy in the ActiveX Installer Service area - "Approved Installation Sites dor ActiveX controls"

    I did not get it to work correctly from the "ActiveX installation policy for sites in Trusted zones" (Yes, I am sure the web site is in Trusted sites - it shows correctly in the status bar in the browser)

    It is OK.  It will be more work to specify individual sites to "trust" ActiveX controls, but it is probably more secure than trusting everything in Trusted Sites for ActiveX automated installation. 

    Still would like to find out why the "Trusted zones" policy is not operating for me as advertised, but now it is just a curriousity.

    Tuesday, June 14, 2011 2:30 PM
  • I am having the same issue - the site shows as a Trusted Site, yet the Trusted Zones policy for ActiveX Installer Service is not functioning.  This is for a UAG site downloading the Endpoint Component Manager, the UAC prompt comes up for Internet Explorer Add-on Installer.  The Microsoft Windows Certificate does have an expired date on it - which surprises me as it is the standard UAG software.

    So any tricks for Trusted Sites and the ActiveX Installer Service?

    Okay I think I got this working - reread the Microsoft instructions on AXIS and found the following notes:

    Configuring the ActiveX installation policy for the Trusted sites zone

    You can add Web sites that are trusted by your organization to the Trusted sites zone to enable them to be able to install ActiveX controls without requiring administrator approval. Sites in the Trusted sites zone can be specified with wildcard characters in combination with a subdomain; for example, adding the Web site https://*.contoso.com to the Trusted sites zone and then configuring the ActiveX installation policy for sites in Trusted zone policy setting would enable all Web sites in the contoso.com domain to install ActiveX controls onto computers in your organization. This can be useful if you have multiple trusted forests in your organization.

    To use this policy setting, you must also have enabled the Security Zones: Use only machine settings policy setting under Computer Configuration\Administrative Templates\Windows Components\Internet Explorer and populated the list of trusted sites that you will deploy by Group Policy in the Site to Zone Assignment List policy setting under Computer Configuration\Administrative Templates\Internet Explorer\Internet Control Panel\Security Page.

    So, what I was missing was the Use only machine settings, and the Site to Zone Assignment List policy setting.  After Adding those it appears to be working.

    • Proposed as answer by RogueWave24 Thursday, July 28, 2011 10:18 PM
    • Unproposed as answer by RogueWave24 Thursday, July 28, 2011 10:18 PM
    • Proposed as answer by RogueWave24 Thursday, July 28, 2011 10:18 PM
    • Marked as answer by ToddMiller Monday, August 01, 2011 3:20 PM
    Thursday, July 28, 2011 8:44 PM
  • Thanks for solving the mystery.  For me, I want to continue to let my users to be able to add sites to trusted sites if they need to.  I will need to continue to specify my trusted ActiveX source sites individually.  I am glad to know the Trusted Zone setting for ActiveX installation appears to "not work" is by design.  It makes sense when I think about it.  It would be a pretty big loophole if users could just add a site to trusted sites on their own and be able to install ActiveX controls from anywhere.
    Monday, August 01, 2011 3:25 PM
  • Hi Gents,

     

    I have the same issues and couldnt find the solution... Could you share your experience and workarround to have list with approved Active X for Standard Users?

    Tuesday, August 02, 2011 11:37 AM
  • Hi All as a workarround i found that when i am applying GPO to change the ieinstal.exe ACls everything is working fine. So grand INTERACTIVE users to have full controll this executable.
    Friday, August 26, 2011 7:15 PM
  • The Setting:

    Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Zones: Use only machine settings

    Worked perfectly for me.  Thank you very much for the heads up.

    Wednesday, November 14, 2012 1:03 PM
    • Spoke to Microsoft.  They stated you can’t install the rsclient print control via or using the active x installer service.  Apparently the rsclient requires administrative privileges and therefore you can’t use this active x installer service. The work around is you need to deploy the control manually.   To do this you copy the files from C:\Program Files\Microsoft SQL Server\MSSQL.x\Reporting\ Services\ReportServer\bin on the report server and copy the rsclientprint.cab file to the “%systemroot%\downloaded program files\” directory and register the RSClientPrint.dll. This will enable the client to work for all users, without admin. Rights.  Further, you need to be an administrator to copy the files.

    My forum post:

    http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/b5eb5cd7-f00a-4bbe-a3db-4fbae269fea8

    We were getting the same class ID as you.  See my post for a pic.

    Monday, March 11, 2013 4:44 PM