Under IE7, under protection mode on, normally installed an ActiveX control. open IE7 Add-on manager, locate the ActiveX control, and disable it. because the ActiveX control is running, close the IE7 window and open a new one, or open internet settings under control panel. open the Add-on manager again, then delete the control while in disabled status. once deleted, going to the same page to install the control again. it will show a small icon in the status bar indicating that the control cannot be used. double-click the icon will open the Add-on manager, but since the control is not installed, there is no way to make the control to be enabled again.
It seems that under IE7 protection mode, the IE or the ActiveX control won’t be able to modify certain registry keys, thus left the Add-on disable bits in the registry. when the control is going to be installing / loading again, IE7 check the disable bit and then prevent the control from running / installing.
Since under protection mode there is limited security context to do the registry modification, by turn off the protection mode, IE7 will be able to modify / delete the Add-on disable bits and the control will install and run again.
When disabling an ActiveX control, IE7 will place a registry key under
under the key there will be a “Flags” DWORD key setting to 1, indicates the control had been disabled. when enable the control again, the [ActiveX CLSID] folder will be all deleted, indicates that the control is not been blocked / disabled.
When under protection mode, IE7 seems not able to modify the registry key here, thus even the control is deleted / unregistred from the registry, this key will remain there. once going to reinstall the control again under protection mode, IE7 checks this key and determine that the control is blocked and preventing from loading / installing it.
When turning protection mode off, or just set the web server to trusted zone (protection mode off by default in trusted zone), IE7 will be able to modify this key and when going to reinstall the control, it will first delete the setting here to let it install.
Those facts were examed by setting a test env. and tested the control behavior, also by comparing the whole registry under various situations, for a feasibility study of a Vista / IE7 infrastructure migration project. this should be a rare case since that for intranet business web applications, normally the intranet web servers will be set into trusted zone thus will be running under protection mode off.