IE message Allow blocked content:- IE restricted this page from running scripts or ActiveX controls? Why?

Question

We have developed an ActiveX object that is called via JavaScript in browser..

We have implemented IObjectSafety and also we have registered this dll using regasm mydll.dll /tlb /codebase

When we open this page locally we get the message as:-

IE restricted this page from running scripts or ActiveX controls? We then have to choose Allow blocked content for it to run..

However, there is no such msg when the page in run from the server...

Why is this message coming up locally? What is the solution to fix this from the code of the ActiveX object?

We have signed the ActiveX dll using VS2010 snk file... We have implemented IObjectSafety for the activex dll... We have registered this dll using regasm mydll.dll /tlb /codebase If I had not implemented the above 2 steps then, would I also have had got the error when opening the page in IE locally as well as on server?

Answer 1

It's not enough to have signed your DLL with a self-generated .SNK file. You need buy a full-featured Authenticode signing certificate, issued by an accredited trusted authority. Do shop around, options ranges, e.g. from this to this.

Once you've obtained a certificate, here is how to use it.

Supporting IObjectSafety is required, but it doesn't make your control automatically safe. You just declare that it is safe, it's a statement. If you get your control deployed on 1000 pcs, then someone creates a VBScript trojan abusing the API of your control, you might get sued for the false statement. To stay safe, you should use something like Sitelock template.

However, if run your pages locally via file:// protocol and do the manual deployment of your DLL, it's a different story. You don't have to sign your control with Authenticode in this case. However, all ActiveX controls (safe and unsafe) are disabled by default, for security reasons. More details: Understanding Local Machine Zone Lockdown. You can get around it using Mark of the Web.