Question: I am testing with Internet Explorer 7 and I keep getting prompted by the information bar to run an ActiveX control, why am I getting this warning?

Answer: One of the security improvements made in Internet Explorer 7 is the addition of a feature called ActiveX Opt-In. The purpose of this feature was to restrict the use of ActiveX controls within Internet Explorer to those specifically intended by the user (or administrator). Unlike previous versions of Internet Explorer, users will now be prompted to run an ActiveX control if they have never used it before. Once approved, the user will never be prompted again for that specific control.

Solution: To best address this issue and provide for system stability and security in your enterprise, Microsoft recommends you create an internal list of approved ActiveX controls (both public and private in the case of internally created ActiveX controls). Centrally managing this list of approved controls will help ensure users are not blocked from certain actions and need helpdesk support to install/approve ActiveX controls for locked down systems. The Group Policy setting is found at:

Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Add-on Management -> Add-on List

Enter all approved ActiveX controls (listed by CLSID) in this object container. You need to enter two items, Name and Value. The Name is the CLSID and the Value needs to be one of:

1. 0 Deny this add-on
2. 1 Enable this add-on
3. 2 Permit user to use Manage Add-ons

To quickly and easily find your complete list of CLSIDs, once you have added all approved controls to a machine, open the Manage Add-ons dialog and add the Class ID column.

Once this list is complete, you can use Group Policy to create and propagate the approved list to systems in your AD domain. If you want to lock down this list of controls to only those you have approved for your organization, enable the Group Policy Setting at:

Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Add-on Management -> Deny all add-ons unless specifically allowed in the Add-on list

To provide additional control over the user experience, and remove the information bar notifications entirely, you can disable the Group Policy Object found at:

Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Information Bar -> Internet Explorer Processes

Question: Internet Explorer 7 is blocking users from running critical ActiveX controls so they cant use our web applications. How can I unblock those controls?

Answer: By default, Internet Explorer 7 is designed to block all previously unused ActiveX controls. This change was made to increase overall security and limit potential system exposure due to ActiveX controls that were never intended to be exposed to the Internet. Certain well known and tested ActiveX controls are pre-approved and will not prompt users even if they have never previously used the ActiveX control. More information about the ActiveX Opt-In feature can be found at http://msdn2.microsoft.com/en-us/library/bb250471.aspx.

Solution: You can use Group Policy to specifically approve certain controls, and/or block all but those approved for your organization. The Group Policy setting for managing the list is found at:

Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Add-on Management -> Add-on List

Once your list is complete, you can use Group Policy to create and propagate the approved list to systems in your AD domain. If you want to lock down this list of controls to only those you have approved for your organization, enable the Group Policy Setting at:

Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Add-on Management -> Deny all add-ons unless specifically allowed in the Add-on list

In addition, users running Internet Explorer 7 on Windows Vista can take advantage of the ActiveX Installation Service to install pre-approved controls without the need for administrator privileges. More information about the ActiveX Installation Service can be found at http://blogs.msdn.com/uac/archive/2006/09/13/752248.aspx.

Question: Im running the 64 bit version of IE and it keeps crashing when I go to various websites, whats the problem with Internet Explorer?

Answer: You are most likely seeing an issue where Internet Explorer is experiencing a situation with add-ons that are not 64 bit compatible and Internet Explorer is unable to properly load and use the 32 bit versions.

Solution: At this time we are working directly with many of the top add-on software vendors to make their ActiveX controls available in 64 bit versions, but most have not yet made version of their applications available. Until they make their software available, you would need to run Internet Explorer in 32 bit mode in order to access sites which use those controls. For browsing sites that do not use those controls you can continue to run the standard 64 bit version and take advantage of the increased speed and performance of that version.

Question: We are testing Internet Explorer 7 on both Windows Vista and Windows XP SP2. We get a red X icon when trying to use Outlook Web Access with Internet Explorer 7 on Windows Vista, but Windows XP SP 2 works fine. Whats wrong with Windows Vista?

Answer: There is nothing wrong with Windows Vista, or Internet Explorer 7. Among many of the changes made in Windows Vista, the DHTML editing control was deprecated. In that process, any websites which made use of the control will no longer be able to access it. Outlook Web Access is one popular application that used the DHTML control.

Solution: For Windows Vista users the only solution is to modify the control which the web application is attempting to use. The Exchange Server team issued a patch (Knowledge Base article 911829 http://support.microsoft.com/kb/911829) to resolve this issue. Applying this patch will resolve the issue and restore proper functionality for all users. You will need to contact your other software vendors to inquire about and obtain their software fixes if they use this deprecated control.

Be advised this control was deprecated for security purposes and Microsoft recommends it should not be installed on Windows Vista machines as a workaround to this issue. The only recommended workaround is to install the Exchange Server patch, there is no client side fix for this issue.

Question: Our systems create PDF documents and we keep having issues loading a document, closing the tab and opening a new document. After we close the first one, we keep getting blank pages. Whats wrong with our installation?

Answer: There is nothing wrong with your installation. We are aware of this issue being reported by some users, and are working with Adobe to provide an updated ActiveX control to resolve the issue.

Solution: The issue appears to be caused when the Adobe Acrobat ActiveX control fails to properly register and react to a tab close event. The currently available control was written before Internet Explorer supported a tab browsing interface, so the control is expecting to close along with the connected iexplore.exe process. If any tabs remain open when the tab with PDF document closes, the Adobe Acrobat process AcroRd32.exe remains running. Since the process is not properly terminated, it will not launch again for the next PDF document load request. There are two options for workarounds until Adobe provides an updated client solution:

1. When users encounter issues with loading PDF documents and only see a blank page, they can manually terminate the AcroRd32.exe process. Once the process is terminated they need to re-access the desired page/report and Adobe Acrobat should load properly.
2. Open any PDF documents in a new window.
   1. This can be done programmatically by modifying your web application to force a new window for each PDF document. Using the JavaScript window.open command is one solution.
   2. Users can manually force this type of action by holding down the SHIFT key when clicking on a PDF document link (or report generation link). An alternative technique would be to right click, then select Open in New Window.