Power Users cannot install ActiveX any longer

[JordanCN]

I am upgrading the network from XP Pro 32 to Windows 7 Pro x64. XP Power Users could install and run ActiveX controls, however users on Windows 7 x64 cannot install the controls from sites on the Internet or on the internal intranet. They do not even seem to be getting a prompt. (Flash Player, Weather maps, etc)

If I log in as Domain Admin I can do it.

We are on an Active Directory so if there is a way to correct this via a Group Policy, that would be great.

 

[BadBigBen]

Windows Vista protects %systemroot% files and folders with permissions designed for Windows Resource Protection (WRP), which can only be accessed by the System service. Administrators can read system files and folders but cannot write to them. Note that this differs from previous versions of Windows.

While it may seem clear that all users should not be able to read, alter, and delete any Windows resource, many enterprise IT departments have no other option but to make all of their users administrators.

The following are some reasons why enterprises run as administrator today:


so you see, you may not get around the issue without promoting PowerUsers to Admins...


* Application installation (members of the Users group cannot install or uninstall applications): Many enterprises have no centralized method for deploying applications to their users, such as Microsoft Systems Management Server® (SMS), Group Policy software installation (GPSI), or another similar application deployment technology. Enterprises that do utilize software deployment technologies allow users to run as administrator because of ad hoc application installations for specialized applications for specific departments (a custom spreadsheet application for the Marketing department, for instance).
* Custom Web applications (ActiveX controls): With the growth of the independent software vendor (ISV) community, many companies are opting to have custom applications designed for their specific business requirements. Many of these custom applications include a Web browser front-end, which requires an ActiveX control to be installed. Because ActiveX controls are executable files and can contain malware, Windows prevents members of the Users group from installing them.
* Perceived lower TCO (reduced help desk calls versus reduced attack surface): Many enterprises believe that allowing users to install their own applications will help limit the number and cost of Help Desk calls. Unfortunately, running your enterprise workstations as administrator also makes your network vulnerable to “malware”—the overarching term for all malicious software, including viruses, Trojan horses, spyware, and some adware. Malware can exploit a local administrator account’s system-level access to damage files, change system configurations, and even transmit confidential data outside of the network.

source: Understanding and Configuring User Account Control in Windows Vista

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

 

[dilettante]

Maybe these will help:

Implementing and Administering the ActiveX Installer Service

and an update for Win7:

Administering the ActiveX Installer Service in Windows 7