Ant wrote:

> "Todd H." wrote:
>> "Sebastian G." writes:
>>> The problem is that you can't actually disable ActiveX due to numerous
>>> flaws in IE's implementation.
>> Yup.
>
> Could either of you give me an example of how disabling it fails or
> point to somewhere that discusses it?


Well, three big issues:

- If you instantiate it through a CLSID instead of the interface name (which
is actually undocumented as well as invalid HTML), then the COM server is
responsible for instantiation. So, in 99% of all cases MSIE is earlier, and
applies it policies (means: does not instantiate the control), in the rest
1% the policies are totally bypassed. Even further, on can trigger updates
of existing controls, provide old signed controls, and possibly even
redirect to arbitrary download locations.

- Aside from the policies, some controls are ultimately trusted and can
always be instantiated. Just take a look at the source code of MSIE's
internal error webpages...

- Even if instantiation is not attempted at all, just searching for the
control has funny side effects. For example, as in Windows 2000 SP3, trying
to instantiate the Control TlntSrvClient.TlntSrvEnum triggers the startup of
the Telnet Server Service (if installed, and the user logged in as Admin).

But IE has other issues as well, like f.e. boundary errors in the CSS parser.