Unable to Install (only some) ActiveX Controls
Posted by William Diaz on February 7, 2013
So, we had just validated our latest Windows 7 image and were looking forward to start rolling it out to the next batch of offices. Everything had seemed fine in testing until we hit a little snafu when a user complained that they were unable to access on online training tutorial that required the use of an ActiveX plug-in. Instead of asking the the user to install or run the ActiveX control, it redirected the user to a manual join method, which also failed. The manual join method was just another means of delivering the ActiveX control as a file that could be executed.
I was asked to look and was able to reproduce. This was odd because none of our previous Win 7 images exhibited the problem with this site, which validated that it was not a website issue. I also tested with another page that I knew contained an ActiveX control and was still unable to download the control. The file simply never made it to the system. Actually, I began to suspect that the fact that both sites were internal might be the issue because I was able to go out to the Internet and run a ActiveX test at http://www.pcpitstop.com/testax.asp and also buy visiting Adobe and running an install of Flash Player. So the question was why were some ActiveX controls downloading and others not?
the answer came the next morning when I realized that both ActiveX controls that could not be downloaded were coming from https, secure sites. I didn’t quite recall the setting or where it was (I knew I had come across this in the old WinXP days of Outlook when some users were unable to download calendar appointment files via https hyperlinks in emails) but I knew I could find it with a quick Process Monitor trace and the search phrase “SSL”.
The second hit provided my answer in HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableCachingOfSSLpages. The value was set to 1, which meant it was enabled. The UI setting actually resides in the IE Internet Options Panel under the Advanced tab, Do not save encrypted pages to disk:
When checked, IE will not save files from secure sites to the computer.
As for how it got there, we suspect a Windows update may have enabled it at some point as the new image included several updates that the old image did not. As far as enforcing the setting via group policy to make sure it would not be enabled, this can be found under User Configuration > Admin Templates > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page. This will create a new DWORD with a value of 0 in HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings.