A new feature that has sparked great controversy is IE 8's support for per-user ActiveX controls. Formerly, most ActiveX controls require that the end-user be logged on as Administrator to install them. Now, vendors can repackage their existing ActiveX controls (or code new ones) to allow installation into the current user's profile without needing elevated permissions. Microsoft is attempting to promote more software products that can be installed without admin rights, which in turn means the underlying OS kernel will be harder for rogue applications and malware to modify. This type of system access control has been available on other browsers (such as in Firefox extensions) and operating systems (Linux, BSD, and so on) for many years, but is now being promoted in the Windows world as well. Many security admins see per-user ActiveX controls as an additional security and management headache. In any case, Microsoft allows per-user ActiveX controls to be disabled using the normal methods, and it's hard to argue with flexibility.
IE is one of the few browsers to have built-in Parental Controls, which block objectionable content as defined by a rating system. The settings are password protected and apply to all users, although a master password can be entered to temporarily bypass the default settings. There are several different categories of potentially objectionable content, and the administrator can choose whether to block all related content (for example, all nudity) or to allow exceptions (such as educational and art-related nudity). You can choose from various rating systems, and you can whitelist specific Web sites.
Without a doubt, one of Internet Explorer's most powerful enterprise features is its ability to change browser functionality and security settings based on five different security zones: Internet, Local intranet, Trusted sites, Restricted sites, and Local Computer. Most other browsers don't have the concept of security zones or only allow limited per-site exceptions, essentially creating two zones. Any nonlocal Web site is launched in the Internet zone by default, unless the user places the site into a more trusted zone. Each security zone can be paired with a particular security level (High, Medium-High, Medium, Medium-Low, Low, and custom). Some zones cannot be paired with particular security levels. For example, the Internet zone cannot be placed in a security level lower than Medium.
Zones allow not only custom control over dozens of security settings, but also play a role in keeping Internet content from exploiting a system. By default, executables downloaded from the Internet zone cannot automatically run in the Local Computer (the most trusted) zone. ActiveX controls intended to be launched only in the browser can execute only in the browser. By the same token, ActiveX controls intended for Local Computer execution cannot be launched via the browser. This prevents malicious Web sites from using installed ActiveX controls in malicious ways.
IE has always had good cryptography support. IE's initial SSL/TLS (Secure Sockets Layer/ Transport Layer Security) ciphers aren't as strong as those of Firefox and Opera. However, IE was one of the first browsers to support AES (Advanced Encryption Standard), EV (Extended Validation) certs, server revocation checking, ECC (Elliptical Curve Cryptography), and OCSP (Online Certificate Status Protocol), and it is the only browser to allow the enforcement of the U.S. government's Federal Information Process Standards ciphers. Not only is IE very "in your face" about certificate errors, but administrators can prevent end-users from visiting Web sites without valid digital certificates.