Adding Adminstrator Approved Controls to Group Policy

Step by step directions on how to add ActiveX controls to be available as Administrator Approved Controls.


Joshua Cantara
Last Revised: September 9th, 2004

Summary

      This document will cover in a step by step fashion how to add all the ActiveX controls of your choosing to be available in Group Policy as "Administrator Approved Controls". The Group Policy templates that ship with Windows 2000, XP and 2003 have a limited number of built-in controls available for use with this great feature and documentation from Microsoft on how to add more is shoddy at best. With these instructions you can quickly and easily add new controls in less time than it would take to download and install the IEAK, which is the supported but more difficult method.
      Armed with your own list of approved controls you can use complentary security zone policies to down the internet zone and deny all ActiveX controls except for those you specify. This way your users will be able to load the Flash and Adobe Reader plugins while not allowing media playing or worse, spyware/toolbar installing controls to load.

Index

  1. Getting the details for the controls you wish to add
  2. Creating a new Group Policy template
  3. Using your new template

Getting the details for the controls you wish to add

Every ActiveX control has a unique ClassID assigned to it. It's this ClassID that Internet Explorer uses to load it and is also what allows Group Policy to control which ones are allowed. A list of approved ClassIDs are kept in the registry and IE is only allowed to load ones that match an entry in the approved list. Thusly the first step in approving a control is to determine what its ClassID is.

Creating a new Group Policy template

Now that we have the ClassID(s) we need to use them in conjunction with a Group Policy Template in order to turn them in to available Administrator Approved Controls. Fortunately Group Policy Templates are nothing more than text files that spell out what registry keys should be created and what values they should be set to so creating one is not difficult.

Using your new template

Conclusion

      Now that your work is complete, you can create another template to add more, re-edit the existing template and then remove and re-add it to this group policy; whatever you desire. By preparing this list of approved controls you can gain a tighter control of your company's web surfing and protect your users from browser-based ActiveX attacks.