This defense has nothing to do with Windows Vista, but it is worth repeating. You should lock an ActiveX control to its originating site with SiteLock (Microsoft 2007) or your own custom code to check the control is instantiated from your Web site. If you want to use your own code rather than take on a SiteLock dependency, you can call IWebBrowser2:: get_LocationURL to get the originating URL, and pass it to cURL or one of the legacy URL cracking APIs and then do a string comparison to determine if the control is activated from your Web site or not.