The Federal Desktop Core Configuration blog (actually Microsoft’s USGCB Tech Blog, my Google Reader hasn’t updated the blog title) has a post on the risks of enabling “Initialize and script ActiveX controls not marked as safe” in any Internet Explorer security zone.
Prior to Windows 7, our IE security policy was the wild west. “Do whatever you want”. Now with it a bit more locked down, we find out when people are wanting to do dumb things. I’m looking forward to their follow up post. This reminds me of JAVA. Developers not doing things the right way cause headaches for IT and bad security.