|Subject:||Confusing GP text can open IE security hole|
|Posted by:||ThomasMc07 (ThomasMc…@discussions.microsoft.com)|
|Date:||Tue, 13 Nov 2007|
There's an error in the "explain" text for the "Download (un)signed ActiveX
controls" group policy in the IE7 inetres.adm template. Following the
instructions in the text will potentially open a security hole in IE.
"This policy setting allows you to manage whether users may download signed
ActiveX controls from a page in the zone.
"If you enable this policy, users can download signed controls without user
intervention. If you select Prompt in the drop-down box, users are queried
whether to download controls signed by publishers who aren't trusted. Code
signed by trusted publishers is silently downloaded.
"If you disable the policy setting, signed controls cannot be downloaded.
"If you do not configure this policy setting, users are queried whether to
download controls signed by publishers who aren't trusted. Code signed by
trusted publishers is silently downloaded.
In reality, if you "disable" the policy setting, ActiveX controls can be
downloaded and most likely will, unless another policy prevents it.
It is because disabling the policy setting disables the ability to block
downloads, not the ability to download. To actually block downloads, one must
first enable the policy and then choose disable in the dropdown list.
This is a security issue. Please fix.