Stop IE 'Active Scripting' for all computers in a domain

A supercritical zero-day IE flaw has been released in to the wild by a reckless British company.  There are no patches available as of 11/22/2005.
Written by George Ou, Contributor on

A supercritical zero-day IE flaw has been released in to the wild by a reckless British company.  There are no patches available as of 11/22/2005.  Here is what you can do now to protect your organization at an Enterprise wide level.  You must disable "Active Scripting" on all Windows computers running Internet Explorer 5.5 or 6.0 even if you have Windows XP SP2 installed.  While this can be done on an individual PC basis, it is not very feasible on a large scale.  Microsoft Active Directory (Windows 2000 or 2003 Active Directory) can allow you to set Internet Explorer security settings for all computers joined to an Active Directory domain.  Here is the procedure for configuring these settings on a domain level:

Open up the "Active Directory Users and Computers" console.  Right-click the top of the Active Directory and click "Properties"

Jump to the "Group Policy" tab, highlight "Default Domain Policy", and then click "Edit".

Jump to "User Configuration" - "Windows Settings" - "Internet Explorer Maintenance" - "Security".  Then double-click on "Security Zone and Content Ratings".

Choose "Import the current security zones and privacy settings".  Then click on "Modify Settings"

Note:  Windows 2003 servers might give the following warning if the "Internet Explorer Enhanced Security Configuration" feature is installed.

If you see this warning, you must uninstall "Internet Explorer Enhanced Security Configuration" first.  To do so:

  • Open Add or Remove Programs in Control Panel.
  • Click Add/Remove Windows Components.
  • Uncheck "Internet Explorer Enhanced Security Configuration".
  • Finish the process.
  • Then, you can go ahead to configure the settings.

You should actually see the following message:

Click "Continue".  You may need to click on the "Modify Settings" button again from the previous screen.

Then you will see the following screen.  Highlight "Internet" and click on "Customize Level"

The "Security Settings" window pops up and if you scroll down to the Active Scripting area, you'll most likely see the following default "Medium" settings.

You will need to change to the following settings.  I tossed the other 2 changes in for good measure but you don't have to do them for this "Active scripting" vulnerability.

After you hit "OK", you'll get prompted for yes or no.  Click "Yes".

To make sure that your Intranet doesn't break, you'll want to make sure your domain is listed under the "Trusted sites" zone where security can be low.  Highlight "Trusted sites" and then click on the "Sites" button.

Just type in *.your_root_domain.com and click "Add".

Click close and OK a few more times to exit all the way out of everything.  You may need to fine tune these settings for your organization's specific needs, but you now get the idea of how you can set global IE security settings.

Editorial standards