Allow ActiveX Installations for Trusted Sites with Group Policy

I have added a site to the Trusted Sites via GPO.  I have enabled ActiveX Installer Service and enabled the Establish ActiveX installation policy for sites in Trusted Zones.  However, when a user goes to the trusted site, the user is still prompted for admin credentials.  The program that is requesting admin access is the Internet Explorer Add-on Installer.  Anyone know a way to allow this installer to complete without admin credentials?
arkhaminmate11nAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Take a look at the following KB article as there appears to be a hotfix for the AXIS for Windows 7 machines.
https://support.microsoft.com/en-us/kb/2506591

Will.
btanExec ConsultantCommented:
For the configuring of the ActiveX installation policy for the Trusted sites zone, do make sure
- Web sites that are trusted added into the Trusted sites zone to enable them to be able to install ActiveX controls without requiring administrator approval.
- You can even have sites in the Trusted sites zone be specified with wildcard characters in combination with a subdomain; for example, adding the Web site https://*.TrustedDomain.org to the Trusted sites zone. This is more useful if you have multiple trusted forests in your organization.

Also check to enable the Security Zones: Use only machine settings policy setting under
 Computer Configuration\Administrative Templates\Windows Components\Internet Explorer

Next populate the list of trusted sites that you will deploy by GPO in the Site to Zone Assignment List policy setting under
 Computer Configuration\Administrative Templates\Internet Explorer\Internet Control Panel\Security Page

Some checks to add on
Sites that have been added to the per-site exception list will be saved as registry values to the key at:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Safety\ActiveXFilterExceptions]

If Enhanced Protected Mode is enabled, add-ons must be compatible with Enhanced Protected Mode in order to run without user intervention.

As with ActiveX Filtering, it is possible to populate a per-site exception list for Enhanced Protected Mode. Sites that have been added to the exception list by clicking the “Run control” button in the alert box will be saved as registry values to the key at:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabProcConfig]
https://ardamis.com/2015/04/20/practical-administration-of-internet-explorer-activex-controls-using-group-policy/
arkhaminmate11nAuthor Commented:
Thanks.  The KB article is not applicable.  As noted in my original post, I have added the sites to the Trusted sites.  Any other ideas?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

btanExec ConsultantCommented:
Besides adding into trusted site, do consider
I was able to get this to work right if I specified the web site directly in the other policy in the ActiveX Installer Service area - "Approved Installation Sites for ActiveX controls"...I did not get it to work correctly from the "ActiveX installation policy for sites in Trusted zones" (Yes, I am sure the web site is in Trusted sites - it shows correctly in the status bar in the browser)
https://social.technet.microsoft.com/Forums/ie/en-US/203c1f17-1f11-4acb-9534-25b46a34e7ae/activex-control-installation-from-trusted-sites
arkhaminmate11nAuthor Commented:
I think I am bumping into this sort of situation:

Spoke to Microsoft.  They stated you can’t install the rsclient print control via or using the active x installer service.  Apparently the rsclient requires administrative privileges and therefore you can’t use this active x installer service. The work around is you need to deploy the control manually.   To do this you copy the files from C:\Program Files\Microsoft SQL Server\MSSQL.x\Reporting\ Services\ReportServer\bin on the report server and copy the rsclientprint.cab file to the “%systemroot%\downloaded program files\” directory and register the RSClientPrint.dll. This will enable the client to work for all users, without admin. Rights.  Further, you need to be an administrator to copy the files.

Thus, I am not sure how to get around the "admin" requirement.
btanExec ConsultantCommented:
I am thinking then will disabling UAC (or set to low) still have such issue ... wearing security hat, I will want higher bar though..
arkhaminmate11nAuthor Commented:
I think the best option is to ask the owner of the website to redesign the site so it does not use ActiveX.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
if that is possible, that is the best as any add-on is subjected to blocking policy and esp installation for most of them which needs more privileges, that normal users may not necessary have (unless home pc). Even some browser has NoScript plug-on (disabling javascript and active scripting etc) and policy to enforce proxy lockdown which block active script media laden sites. Side track, IE is going for overhaul too in Jun 15 and can have other repercussion. So always good to review to maek site more friendly if owner is open to that . https://www.microsoft.com/security/portal/mmpc/shared/ObjectiveCriteria.aspx
arkhaminmate11nAuthor Commented:
Best option is to ask site admins to redesign site so it no longer uses ActiveX.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.