We are developing a web-based application for sale, which, although it mainly runs in the browser, also requires integration with devices such as credit card readers. To provide hardware integration, we implemented several simple ActiveX controls in C ++ using ATL.
We are not experienced Windows developers and have difficulty understanding the installation process and security model for ActiveX controls. Obviously, this is a prerequisite for our users who can actually run our application. :)
We are trying to determine what the most subtle and most restrictive set of permissions is required for a typical unprivileged user (non-administrator, non-powerful user) to install and update a specific ActiveX control (unlike any ActiveX control) from a signed .cab file, served through HTTP as part of a web application. We need to know this for XP (SP2 +) and IE6, as well as for later OS / browser combinations. We want this information so that we can help our IT professionals properly configure the machines on which the software will run.
We did a lot of digging on the Internet and could not find adequate documentation. We also talked to some people at Microsoft who were also unable to provide us with the information we needed.
Using the Sysinternals process monitor and some trial versions and errors, we were able to determine that for an unprivileged user to access the ActiveX controller on XP SP2 / IE6, it is enough to specify the following registry permissions (that is, the user will see the yellow bar at the top of IE that says : "This site wants to install some software"):
HKLM\Software\Microsoft\Tracing (key only, creating subkey permission)HKLM\Software\Microsoft\Code Store Database (key only, creating subkey permission)
, , , C:\windows\downloaded program files\ HKLM\Software\Microsoft\Code Store Database\Distribution Units\{guid}
( Vista Windows 7 ActiveX , XP. AIR 2 , , .)