Skip navigation

Internet Explorer 9 Feature Focus: ActiveX Filtering

Years ago, Microsoft brought its component-oriented software technologies to the web in the form of ActiveX, a lightweight and simplified version of the COM (Component Object Model) technology it had previously created for Windows. ActiveX was a good idea in that it allowed web developers to add more sophisticated capabilities to their sites in an age when the web was in its infancy and native capabilities were unimpressive.

But ActiveX had a dark side: It was proprietary, not open like much of the web, and worked only on Internet Explorer, and then only on Windows. More problematic, ActiveX also proved to be highly insecure, and was the source of many Internet-borne electronic attacks. Microsoft improved the security ActiveX over the years, but it was too late: No other major browser vendors support the technology and of course the web has moved on to newer, more modern technologies that offer many of the capabilities of native desktop applications.

Unfortunately, IE 9 still relies pretty heavily on ActiveX, and many browser add-ons, including modern ones like Silverlight and Adobe Flash, are implemented as ActiveX controls. It seems like ActiveX isn't going anywhere.

As part of its effort to further enhance the security of IE 9, however, Microsoft has added a new feature called ActiveX Filtering that can block all ActiveX controls from working within the browser using a single switch. Then, users (or corporate administrators) can re-enable controls only on those sites they explicitly trust. Somewhat more ponderously, it's also possible to re-enable specific controls globally, so they always work no matter which site you visit.

ActiveX Filtering is off by default, meaning that ActiveX controls will natively work within Internet Explorer 9 just as they did in previous versions of the browser. To enable ActiveX Filtering, click Tools, Safety, and then ActiveX Filtering. No window will pop-up, but by making this selection you have enabled the feature. To see that this is so, open Tools, Safety again and verify that the ActiveX Filtering choice is now checked.

Of course, disabling ActiveX will cause some sites to stop working properly, notably Flash-driven sites like YouTube. When this happens, you will see a small blue circle with a line through it in the IE 9 One Box (address bar), and if you mouse over this control, it will report that "Some content is filtered on this site" in a tooltip.

Click the control and the following confusing dialog will appear:

Contrary to the message, if you click the Turn off ActiveX Filtering button, IE 9 will not turn off ActiveX Filtering. It will instead turn off ActiveX Filtering for that site only. This is an important distinction, obviously, and it gives you a site-by-site way to re-enable ActiveX controls.

At this point, IE 9 will display a normal notification (at the bottom of the browser window) asking you if you'd like to enable the control. Choose Allow to do so.

Enabling ActiveX controls on a site-by-site basis is probably the safe choice. You know, for example, that YouTube and MSN are most likely "safe" in that they're not actively trying to hijack your system. But some people may prefer to enable ActiveX Filtering but then want to re-enable certain controls (like Flash) across all sites. There are a couple of ways to do this, but the simplest may be to open the Manage Add-ons interface (Tools, Manage Add-ons), and then navigate to Toolbars and Extensions and then the ActiveX control in question. Then, right-click the control and choose "More Information."

In this window, there is a button called Allow on all sites. If you click this, ActiveX Filtering will remain enabled, but that control will work on every single site you visit.

This interface will also provide a way to see which sites you've OK'd for particular controls, when ActiveX Filtering is enabled. And if you've enabled the control on a site inadvertently, or would otherwise like to disable it on a site by site basis, you can do so from here.

Final thoughts

While I understand the value of ActiveX, even given the ongoing evolution of the web, I still feel that disabling ActiveX controls across the board and then reenabling them on a site by site basis is advisable. Yes, it's a bit ponderous, but it's also more secure. For this reason, I applaud Microsoft for adding ActiveX Filtering to IE 9, and recommend that all readers enable this feature as soon as possible.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.