Dela via


ActiveX Filtering for Consumers

ActiveX Filtering in the IE9 Release Candidate gives you greater control over how Web pages run on your PC. With ActiveX Filtering, you can turn off ActiveX controls for all Web sites and then turn them back on selectively as you see fit. While ActiveX controls like Adobe Flash are important for Web experiences today for videos and more, some consumers may want to limit how they run for security, performance, or other reasons.

In this post, we’ll show how you can improve your browsing experience with ActiveX Filtering. We’ll walk through how this feature works in IE9 and share details on how IT administrators can deploy this feature in corporations. In a future post we’ll share some best practices that Web site authors should use to ensure that their sites work well with ActiveX Filtering.

You can try out ActiveX Filtering in the Release Candidate using this demo from the IE TestDrive site. You can also see the feature in action in this short video:

Background: ActiveX Controls & Browsing

To display interactive content and video, many of today’s Web sites use plug-ins like Adobe Flash or Microsoft Silverlight. “ActiveX” is the technology these plug-ins use to run inside of IE. Like other add-ons, they are essentially Windows applications that run in the browser. Poorly written add-ons and ActiveX controls can therefore affect IE’s performance, reliability, security and privacy in similar ways.

Some controls may be used to display undesirable or malicious content, preventing you from having a good experience when viewing a Web site.

Screen shot showing page with no blocked ActiveX content
ActiveX content may prevent you from having a good experience viewing a Web site

Some consumers are concerned about the potential impact of ActiveX controls and would want to limit them to run only on Web sites where you need them to view the content. ActiveX Filtering is a built-in, more generalized version of browser extensions like FlashBlock and ClickToFlash.

Introducing ActiveX Filtering

With ActiveX Filtering, you choose which sites are allowed to use your ActiveX controls, while all other Web sites cannot use them. ActiveX Filtering helps limit the impact that ActiveX controls have on your browsing experience since the controls can run only on specific sites. ActiveX Filtering also prevents Web pages from showing potentially unwanted content that relies on ActiveX controls.

Screen shot showing page with blocked ActiveX content
ActiveX Filtering enables you to focus on the content you want to view

By default, IE9 does not filter any ActiveX controls on Web sites to ensure you experience the sites as intended by their authors. If you desire increased control of ActiveX controls while browsing, you can enable ActiveX Filtering via the Tools menu:

Tools / IE9 Tools Menu Icon > Safety > ActiveX Filtering

Once you enable ActiveX Filtering, IE prevents ActiveX controls from running on all Web sites. When you visit a Web page that contains ActiveX controls, notice that ActiveX content is blocked from loading on the page. IE displays fallback content chosen by the site’s author if it is available.

Instead of displaying a prominent notification prompting you to install or enable controls, IE stays out of the way of your browsing while it also makes it easy for you to turn off filtering when you need to. IE displays an icon in the address bar to indicate that some content has been filtered on the site.

Screen shot showing some ActiveX content blocked icon in address bar

If a Web site contains ActiveX content that you want to view, you can turn off filtering for just the current Web site. When you click on the icon in the address bar, IE displays the fly-out window:

Screen shot showing some ActiveX content blocked fly-out window

You can click “Turn off ActiveX Filtering” for just the current site. Once you take action, IE refreshes the Web page to ensure that ActiveX controls are properly instantiated in place of any fallback content that was originally present on the page. ActiveX controls from other Web pages under the same domain (in the above case, msn.com) will also be unblocked.

The icon on the address bar changes color to indicate that you have turned off filtering on this Web site. After you’ve finished viewing the content, you can turn ActiveX Filtering back on by clicking on the icon again, which re-displays the fly-out window:

Screen shot showing no content blocked fly-out window

The address bar icon and fly-out window are also used for the Tracking Protection feature. If you have installed a Tracking Protection list you may see this icon appear on sites that only contain content blocked by Tracking Protection. In these cases you’ll need to launch the fly-out window to determine what content has been blocked. If you want to reset all the exceptions you’ve made for ActiveX Filtering and Tracking Protection, you can use Delete Browsing history. Be sure to select just this one checkbox:

Screen shot showing section to delete ActiveX Filtering data from the Delete Browsing History dialog
Section to delete ActiveX Filtering data from the Delete Browsing History dialog

ActiveX Filtering for Managed Desktops

Administrators can deploy ActiveX Filtering for their organizations easily by setting a group policy. The feature is disabled by default for the Local Intranet Zone so that intranet Web sites and LOB applications can continue to use ActiveX controls without disruption, and can be adjusted separately for each security zone.

Try it out!

To have a trustworthy browsing experience, it’s important that you are in control of the applications running in your browser. With ActiveX Filtering, you can now browse the Web with more control of your ActiveX controls. You can easily turn on the controls on sites that contain ActiveX content you want to view. This feature successfully limits the content that is allowed to run ActiveX controls, thus minimizing any potential performance, reliability, security or privacy impact on your browsing experience.

We encourage you try out this feature on the Internet Explorer 9 Release Candidate today, using the demo available from the TestDrive site. Please let us know if you find sites that don’t work properly with ActiveX Filtering. We look forward to hearing your feedback through blog comments and the Connect site.

—Herman Ng, Program Manager, Internet Explorer

Comments

  • Anonymous
    February 28, 2011
    The comment has been removed

  • Anonymous
    February 28, 2011
    The comment has been removed

  • Anonymous
    February 28, 2011
    The comment has been removed

  • Anonymous
    February 28, 2011
    A good start, but what about all the Javascript errors you get when disabling controls? That's not a great user experience either. There should be a way for the browser to trick the script into thinking the control is there - or at least implement some Javascript exception handling to suppress errors that stop the rest of the page from working.

  • Anonymous
    February 28, 2011
    Are you serious? Yet another ridiculous icon in the address bar! And yet you still can't display favicons in the adress bar drop down? Microsoft never ceases to amaze me at how they add all kinds of wonky features vs. Fixing actual bugs in the application. In case you missed the memo... Users don't want activeX period.  Just deprecate this legacy technology and move on - please.

  • Anonymous
    February 28, 2011
    Hi! Could you provide an HTML5 WebM version of the video, please? I'd rather not view the video with add-ons because of the affect on my browser's performance, reliability, security and privacy.

  • Anonymous
    February 28, 2011
    The comment has been removed

  • Anonymous
    February 28, 2011
    anyone know why on occasion suddenly all plugins go into promt mode on ie8?

  • Anonymous
    February 28, 2011
    @ieblog, I agree with Ken Cox, there should be rescue mechanism in case the script tends to communicate with the blocked control, despite the concepts of good web-development practices of implementing alternatives. Also, when the Tracking Protection is enabled, its entry under Tools>Safety should be checked. Same goes for other items of the same submenu. Conversely, provide the same in the legacy Tools menu (Alt + T). Thank you much & keep up the great work!

  • Anonymous
    February 28, 2011
    @Mortimer Merryweather: The video is in MP4 format and embedded into the post using the HTML5 Video tag. You shouldn't need to use add-ons or plug-ins to view the video.

  • Anonymous
    February 28, 2011
    The comment has been removed

  • Anonymous
    February 28, 2011
    I like ActiveX filtering, but I would like a list of current stored settings (for which sites ActiveX has been enabled) and a way to edit it (add/remove entries) rather than a blanket erase.

  • Anonymous
    February 28, 2011
    How does ActiveX filtering interacts with InPrivate mode?  I would guess that changes to the filtering settings would be local to the session, but this seems unreliable (sometimes the settings are reverted after closing all browser windows, sometimes they aren't).

  • Anonymous
    February 28, 2011
    @Herman [MSFT] : "The video is in MP4 format and embedded into the post using the HTML5 Video tag. You shouldn't need to use add-ons or plug-ins to view the video." I very much agree that I shouldn't. However in practice I have to due to an inexplicably stubborn resistance to providing WebM versions of the videos posted on this blog. Stand with us, Herman! Bring WebM video to the IE blog.

  • Anonymous
    February 28, 2011
    looks like MS finally noticed the FlashBlock firefox plugin was a pretty good idea and decided to copy it.

  • Anonymous
    February 28, 2011
    Ken Cox: If a site is designed without a fallback for disabled controls, then complain to the site. I would rather not want IE to try to handle this. It would make it much more difficult for developers to to develop and test their sites.

  • Anonymous
    February 28, 2011
    Contrary to some other open format and open source advocates here, I am very much in favor of giving choice to users, including granting privileged access where it can be communicated well to users--even if some will inevitably be duped to do unsafe things, that is a criminal issue to me--we can't refuse access to or stop building roads just because some people may get into accidents; yes, make it safer, of course, but you won't get my vote if you oppose the idea of roads. I also support this work of IE in providing more convenient granular control. It's fine to call a company out when they're being deceptive, but it's pretty petty to heap on criticism blindly. My hope is that open source platforms increase their support for optional privileged access (e.g., as I've expressed at bugzilla.mozilla.org/show_bug.cgi ), while hopefully being able to mutually work with Microsoft and others to standardize such access (my preference would be using the CommonJS Modules syntax to request such privileged access and fall back with a specific type of exception if the user refuses permission). Seeing the WhatWG mailing list discussing a FileSystem interface gives me some hope here. Certainly Geolocation can be abused (maybe even more seriously than file system access) and thankfully it is going through, albeit with informed user control. I also look forward to Kinect-like standard APIs for the web, and every other cool technology... I also really hope the browsers start to allow more shared access across different sites, such as sites requesting access of client-side databases, so that sites can work collaboratively with other sites--maybe not the first priority of powerful web companies, but important for "Open Data". The one thing I was confused with and would disagree with if true, is what appears to be a policy of keeping ActiveX on by default? Does this mean it asks permission by default or it actually runs privileged code by default?

  • Anonymous
    February 28, 2011
    The comment has been removed

  • Anonymous
    February 28, 2011
    很给力,哈哈

  • Anonymous
    February 28, 2011
    ActiveX Filtering for Consumers, icons without text-labels and inside of the address bar? So by consumers you mean tech-savvy people and not say every one else? Because non-technical users don't know about hovering for a title and many non-technical people I know would be completely oblivious to what this is and what it does. "Okay, click on tools." "I don't see anything that says 'tools'." "See the round cog at the top?" On top of that even if they were to enable the ActiveX filtering the panels don't appear by default, you have to click on the icon. Again the icons don't have text labels by default (or worse in any state) so most non-technical users are NOT going to use them. Is the goal to make IE's GUI as unusable and undesirable as possible? These are the reasons my clients don't use IE and they don't complain about the issues that arise out of the poor GUI moves by Microsoft. 1.) Use friendly icons with text-labels to the right like Opera. 2.) The only thing that goes in to the address bar is the ADDRESS! 3.) Make the icons with text labels movable around the various toolbars. 4.) The favorites and commands toolbars are BACKWARDS, the favorites belongs on the right and the commands belong on the left. 5.) The toolbars can't be moved vertically and they should. 6.) The file menu belongs at the top and should be on by default, seriously consider merging it with the top toolbar that contains the maximize/restore, minimize and close buttons.

  • Anonymous
    February 28, 2011
    They don't have labels because if you are stupid enough not to be able to hover and read tooltip, you do NOT need to click those. Just type web address. press enter. browse. click x button.

  • Anonymous
    February 28, 2011
    IE-team should look into providing let's-design-your-own-browser kind of customization. By the way, these blocking/filtering apps came into existence long time ago. There should be an in-depth analysis of every ActiveX control prior to its loading and the filter should automatically warn/inform/block the control as per the risk/intrusion detection (maybe powered by Security Essentials). IE9 runs on MS own WindowsOS, so demanding to address this level of subjectivity, though not easy but, is not impossible. After that write another blog which would qualify as a feature depicting ease-of-access and the users will appreciate it.

  • Anonymous
    February 28, 2011
    @  ABOUT_MSDN_BLOG "Incidentally, why it takes minutes to "Publish" the comment here on MSDN blog when using IE9 and same works swiftly on FF4b12 ???? :=S" You are right but it is not exclusive to IE9. With IE6 it took 63 secornd the last time I measured to pulbish a comment on this blog. The blog software/platform that Microsoft is using is just laughable.

  • Anonymous
    February 28, 2011
    The comment has been removed

  • Anonymous
    February 28, 2011
    打酱油了

  • Anonymous
    February 28, 2011
    The comment has been removed

  • Anonymous
    February 28, 2011
    And now please backport this to IE8!

  • Anonymous
    February 28, 2011
    The comment has been removed

  • Anonymous
    February 28, 2011
    The comment has been removed

  • Anonymous
    February 28, 2011
    @steve - while you (or your company) may support IE6 and IE7 they are obsolete and every day fewer people and businesses use them, and though their are hold outs keeping them if you clam support for the business that comes with them, you have to accept the costs of developing with it or not support it. If that is inconvenient too bad.

  • Anonymous
    March 01, 2011
    The comment has been removed

  • Anonymous
    March 01, 2011
    The comment has been removed

  • Anonymous
    March 01, 2011
    @John Dowdell: That's mostly correct. You can control which domains an individual control can be used with IE's Per-site ActiveX capabilities in Manage Add-ons.

  • Anonymous
    March 01, 2011
    this is great as in china a lot of websites have a great deal of ads...which slow down the browser and system a lot for some low-ram-users...

  • Anonymous
    March 01, 2011
    噢賣糕的!!

  • Anonymous
    March 01, 2011
    腥浪威武

  • Anonymous
    March 01, 2011
    新浪很给力吗。

  • Anonymous
    March 01, 2011
    The comment has been removed

  • Anonymous
    March 01, 2011
    The comment has been removed

  • Anonymous
    March 01, 2011
    到此一游

  • Anonymous
    March 01, 2011
    The comment has been removed

  • Anonymous
    March 01, 2011
    新浪··   电信真爽啊  广告都传播到外国了

  • Anonymous
    March 01, 2011
    新浪V5———by新浪微博观光团

  • Anonymous
    March 01, 2011
    @Ken Cox [MVP]: The Firefox add-on NoScript does in some cases (not entirely sure when, but for example on Youtube if placeholders are active) create a dummy to deter Javascript exceptions from breaking the site.

  • Anonymous
    March 01, 2011
    The comment has been removed

  • Anonymous
    March 01, 2011
    The comment has been removed

  • Anonymous
    March 02, 2011
    http://spoon.net/browsers/ shows me "IE is now in a private beta version". It means that IE will be brought back to spoon.net anytime soon.

  • Anonymous
    March 02, 2011
    The comment has been removed

  • Anonymous
    March 02, 2011
    @steve - The answer is to install XP with IE6, Vista with IE7, and 7 with IE 8 on different partitions of the same hard drive and choosing the version you want to load at boot time.  If the latency of having to reboot to change testing environments is bothersome, use a SSD instead for ten second OS load times.

  • Anonymous
    March 02, 2011
    The comment has been removed

  • Anonymous
    March 02, 2011
    Please allow blocking of scripts and URL references to sites the user doesn't want to retrieve data from.  Many many sites have links to images, scripts, css etc that do not exist.  Viewing the load time from connect until data retrieval for each item on a normal web page shows how slow the invisible or barely visible items make the total time to load a page.

  • Anonymous
    March 02, 2011
    IE9,how can filter the "great fire wall" of China.......any body who can shut down the ***

  • Anonymous
    March 02, 2011
    新浪V5———by新浪微博观光团

  • Anonymous
    March 02, 2011
    The comment has been removed

  • Anonymous
    March 02, 2011
    新浪太悲剧了,记得我以前用来测试Adblock Plus的也是新浪主页。 微软居然跟我不约而同地都选择了它。

  • Anonymous
    March 02, 2011
    +1 on more granularity of controlling what's blocked on the page with this and with tracking, without digging into an interface that isn't linked in the popup dialog - how about under 'turn on activeX' is a link marked Advanced Settings?

  • Anonymous
    March 02, 2011
    新浪V5

  • Anonymous
    March 04, 2011
    The comment has been removed

  • Anonymous
    March 06, 2011
    The comment has been removed

  • Anonymous
    March 07, 2011
    @Mike - I do agree that testing various browser versions should not entail installing a myriad of OSs as it is not technically required.  Microsoft for their own obvious business reasons has decided to legally prevent that from taking place.  I do not think they are going to change their minds because developers are complaining.  That just seems like a waste of time and energy.  The only reason I had responded was to try to devise a solution that would at least take most of the sting out of it.  A single test workstation should be mandatory for an in-house enterprise web application to best simulate the actual corporate environment.  Internet-based applications can use a terminal server to test against.

  • Anonymous
    March 08, 2011
    The comment has been removed