Silently Disable Internet Controls the Easy Way

A little-known Microsoft Knowledge Base article, "How to stop an ActiveX control from running in Internet Explorer" (http://support.microsoft.com/?kbid=240797), documents how to set a "kill bit" to disable particular ActiveX controls in Microsoft Internet Explorer (IE). This technique is useful if you want to restrict IE on your network. Unlike simply disabling active content in IE, setting the kill bit tells IE to silently reject a specific control without sending the annoying warning about page content not rendering properly with the control disabled.

Probably one reason few people use this technique is that they must find the class ID (CLSID) for the control to disable it—and the techniques the article offers for finding the CLSID aren't realistic. The article suggests contacting the OEM for the particular control (!) or searching through HKCR\CLSID in the registry. You might have no idea who the OEM is (particularly in the case of malicious software—malware—browser controls) and HKCR\ CLSID might contain thousands of control entries, so neither suggestion is workable. However, it's simple to set a kill bit if you approach it from the standpoint of knowing that a control you want to disable exists. Here's the technique I show systems administrators for finding a CLSID and disabling a control. As an example, I'll disable the Macromedia Shockwave player, something you might want to do on Terminal Server systems.

If the control is already on a machine on your network, go to that machine, open IE, select the Tools menu, and choose Internet Options. On the General tab, click Settings, then click View Objects. The window displays all the downloaded controls with friendly names. Right-click the setting you want to kill and select Properties. The ID line in the Properties dialog box will contain the CLSID. Just copy that line, and you have the CLSID (in this case, \{D27CDB6EAE6D-11CF-96B8-444553540000\}).

If the control you want to kill isn't on the machine, open IE and browse to a site that prompts you to download the control. Refuse the download, and after the page loads, select Source from IE's View menu. Search for the string clsid: in the page. The alphanumeric CLSID will immediately follow that string in the format "clsid:D27CDB6E-AE6D-11CF-96B8-444553540000". Copy the value (without the double quotes and the clsid: preface) and enclose it in curly brackets, then open the registry editor and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility. Create a new subkey whose name is the CLSID you just copied. Don't forget the curly brackets. Beneath that subkey, create a REG_DWORD value named Compatibility Flags with a value of hexadecimal 400 or decimal 1024. That's it; the control will no longer work in IE (nor will it prompt users to download).

If you need to disable a control on multiple machines, you can select the subkey—in the case of the Shockwave player it would be HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Internet Explorer\ActiveX Compatibility\ \{ D27CDB6E-AE6D-11CF-96B8-444553540000\}—export it from the registry editor, and import it onto the machines where it's needed.

Alternatively, you could create a custom template that sets the registry value and deploy the template through Group Policy.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish