Hi Michel,

>I just accessed a page which contains an ActiveX.
>
>When I access that page, during the loading time, the ActiveX decided to install some components on my hard disk. After the installation, I received a message from my browser stating that "This page contains active content which is not verifiably safe...".
>
>How safe is it to access a page that contains an ActiveX? Any special consideration for this?

I just went through all of this {s}...

There are a couple of issues that ActiveX controls handle for security. First of is the trust relationship
that is established when you don't have a control. That's the dialog you saw, which asks you to download
the control.

At this point you'll find controls that are signed with Authenticode or unsigned (which is the message
you saw). When a control is signed it means the author registered with Verisign or other CA who have
verified the author's application. The control's signature is digitally checked against the CA
to verify the source. I've just got an Authenticode Certificate and signed one of my controls
with it. It's a major hassle to do this and the tools to do it are really lame and under documented.
I think this is the primary reason a lot of unsigned controls are out there. The $400 for a
commercial certificate also doesn't help ($20 personal certs are also available).

The other issue is safety. There's safe for scripting and safe for access. Those are options that
are set by the authors of the control to determine the degree of safety to the user's system.
If the control allows writing to the system via external methods (like save methods) the control
should not be marked as safe for example and you're prompted each time the control comes up.
But ultimately that's really left up to the authors.

Basically, it all comes down where the control is coming from. If you trust the site that
it's loading on, go ahead and download it. If you don't know the site's owners and you're
just crusing through, it's probably a good idea to not download...

Regards,