Java applets may pose security risks because they can contain code intended to attack hosts and servers on a protected network. You can remove Java applets by issuing the filter java command. Starting from version 6.3, you can do selective blocking by using the except optional keyword in the filter java command. To specify that all outbound connections have Java applet blocking, issue the filter java 80 0 0 0 0 command.
This example blocks downloading of Java applets to a host on a protected network from all networks except 192.168.10.0:
ActiveX objects may pose security risks because they can contain code intended to attack hosts and servers on a protected network. You can disable ActiveX objects by issuing the filter activex command. The command blocks the HTML <object> commands by commenting them out within the HTML web page.
Note: The <object> tag is also used for Java applets, image files, and multimedia objects, which are also blocked by this command. If the <object> or </object> HTML tags split across network packets or if the code in the tags is longer than the number of bytes in the Maximum Transmission Unit (MTU), the PIX Firewall cannot block the tag.
Starting from version 6.3 you can do selective blocking by using the except optional keyword in the filter activex command. This example specifies that Activex objects are blocked on all outbound connections:
hostname(config)# filter activex 80 0 0 0 0
This command specifies that the ActiveX object blocking applies to web traffic on port 80 from any local host and for connections to any foreign host.