By Peter Bright
May 11, 2008 - 06:11PM CT

ActiveX has long been regarded as a thorn in the side of Windows users everywhere; a gaping hole through which spyware and viruses can contaminate your PC and compromise your data. Although much of the criticism leveled at ActiveX is excessively harsh, binary browser plugins—that can do just about anything the user can do—do have security concerns.

With Internet Explorer 8, Microsoft's forthcoming version of its embattled browser, steps will be taken to further reduce the exposure caused by ActiveX. The IE blog has recently given details of what we can expect. The biggest of these changes is that Administrator rights will no longer be required to install ActiveX controls. With this feature, regular user accounts will be able to install ActiveX controls privately, to their own user profile.

Although the control may still be bad and exploitable, it will only be able to harm the user who has it installed. This is in contrast to the current situation, where ActiveX controls must be installed globally, and so can compromise any user. To support this, the authors of ActiveX controls-such as the Flash plugin, Java Runtimes, and Microsoft's own Silverlight-will have to package their controls in a special way to enable per-user installation. Unfortunately, this isn't something that can be applied retrospectively to pre-existing controls.

Users will also have to be running Windows Vista (or Windows Server 2008). Although IE8 will be released for Windows XP, this particular feature won't be available on that platform. This mechanism will also be configurable through group policy; an organization with a locked down user desktop will probably want to disable even per-user ActiveX installation. The other significant ActiveX security change is that it will be possible to restrict ActiveX controls to specific domains.