Allowing Active X controles

[Guest]

Hello folks thanks for taking the time to read this post.

First of a certain web based product we use for gathering real estate
listings requires active x plugings our GPO stops users from installing there
own software cause as you know when you let people do that you get all the
nasty spy and malware. So my question is can I set a GPO to only allow active
X controles for the particular url of our application while still disallowing
active x from the rest of the web!

Here is my task:

With our situation, I’d like you to research a way for the users on the
shared computers to freely download Active X controls for MLXchange only. I
do want to continue to stop them from downloading the controls for other
sites since that’s how some of those computers became full of spyware before.

 

[Darryl]

Hello folks thanks for taking the time to read this post.

First of a certain web based product we use for gathering real estate
listings requires active x plugings our GPO stops users from installing there
own software cause as you know when you let people do that you get all the
nasty spy and malware. So my question is can I set a GPO to only allow active
X controles for the particular url of our application while still disallowing
active x from the rest of the web!

Here is my task:

With our situation, I'd like you to research a way for the users on the
shared computers to freely download Active X controls for MLXchange only. I
do want to continue to stop them from downloading the controls for other
sites since that's how some of those computers became full of spyware before.

What about adding the site you want them to access under the GPO for
the trusted sites list?

Or, just find the CLSID and add it under Computer
Configuration>Administrative Templates>Windows Components>Internet
Explorer>Security Features>Add Management>Add-on List.

 

[Guest]

Thanks Darryl! I have tried allowing them into trusted zones but the computer
settinsg stop these user from installing software! I am interested In your
second suggestion though im just not sure were I am able to add this in could
you give me more information on this CLSID?

 

[Darryl]

Well, In most organizations that are in domain environment/setups they
have GPO's linked to certain OU's. If you have something like this in
your org., browse to the OU that holds the GPO and Right click, go to
Properties, then go to the Group Policy tab.

From there, browse to the path I gave you earlier, and that will get

you started.

Or, you can create your OWN OU (recommended) and start fresh, that way
it won't interfere with any existing GPO or policys. It is also
recommended to NOT mess with the default domain policy. Just leave it
be, and create your own.

Let me know if that gives you the information you need.

HTH

 

[Guest]

Wow thats Awsome Darryl Im deffinatly gonna talk about putting this into
affect for the domain. But i just have one concern our policy for users does
not allow them to install software will they still be allowed to install the
addons?

 

[Darryl]

Wow thats Awsome Darryl Im deffinatly gonna talk about putting this into
affect for the domain. But i just have one concern our policy for users does
not allow them to install software will they still be allowed to install the
addons?

Alun,

If the users in question already have limited user rights, the majority
of the software out there will not allow them to install anyway w/o
adminstrative rights. You will still have to manage the add-ons as they
become available. You can give the users the right to manage if you'd
like. But, would you really WANT TO do that? Part of this deployment is
proper planning. YOU as the tech, or you as the group of tech's
responsibility is to test this in a lab environment before you approve
it for production. It is in the list of options that I pointed you,
somewhere, I don't know where exactly, but I do remember seeing it.

 

[Darryl]

Wow thats Awsome Darryl Im deffinatly gonna talk about putting this into
affect for the domain. But i just have one concern our policy for users does
not allow them to install software will they still be allowed to install the
addons?

Alun,

If the users in question already have limited user rights, the majority
of the software out there will not allow them to install anyway w/o
adminstrative rights. You will still have to manage the add-ons as they
become available. You can give the users the right to manage if you'd
like. But, would you really WANT TO do that? Part of this deployment is
proper planning. YOU as the tech, or you as the group of tech's
responsibility is to test this in a lab environment before you approve
it for production. It is in the list of options that I pointed you,
somewhere, I don't know where exactly, but I do remember seeing it.

 

[Guest]

Thanks daryl Well unfortunatly the network is already deployed and the shared
computers were already setup when i started working here. Although I
understand the importance of testing it is not genraly used in our enviroment
(Industy best practices would die if it new how me operated) but I am not in
charge. It is unfortunate that I cant make the instillations run under admin
for specific CSLIDs. My whole project was to save us time and so far i have
dont that. I read the documentation for the software and found a support site
that installs all plugins at once. unfortunatly that still requires a user to
loggin. But at least it only takes 2 mins instead of visiting each page that
requires an Active X controle. Anyway Thanks for all the help daryl you
showed my some cool features of Active directory!