The JVM security model is based on a sandbox, where the granularity of the authentication could be controlled. I can trust an Applet for things such as printers, but block it from disk access.
The person to whom I replied criticized the ActiveX component signing model for being too much of a hassle for the average user. If you agree, do you not also agree that setting up trusted applet policies is even more of a hassle?
Active-X, OTOH, is an all or nothing proposition: Either you block it, or you give it access to everything - no choice in between.
Not quite. ActiveX components run with the browser's account permissions. You
can always run the browser under a restricted account, thereby letting the OS
set up the sandbox. In fact, account permissions are typically much more
configurable than applet policies.
I suppose one can make the case that Java failed based on performance and features. But one can also make the case that ActiveX failed because of it's flawed security model.
I disagree completely. ActiveX is a code packaging and delivery technology. Its only responsibility in terms of security is to provide secure transit, which is exactly what it does with component signing. Java-style sandboxing is brain-damaged because (a) the OS already provides permission-based security, and (b) the whole point is to take advantage of client resources. No wonder Sun eventually provided ways to poke holes in the sandbox.
In most cases you cite, these programs are not really confined to the Active-X framework (with the possible exception of shockwave). Yes some of them are participants in Active-X, but almost everyone of them are really just executable programs that you downloaded or installed just like any other native program.
Hardly. All of the things I mentioned run embedded within the browser or any other application supporting COM/OLE containment. "Regular" executable programs don't do that.
Don't believe me? Then go check the installation directories for these programs - likely scattered in the Progra~1 and system32 directory. Now tell me how many of these programs are confined to the "Windows\\Downloaded Program Files". I see Shockwave and you'll probably see a few others. Of the list you cite, how many are confined to this directory - and hence qualify as Active-X success stories?
I reject the notion that ActiveX components must be installed in any particular place to qualify. That's not what makes them ActiveX components - it's the ability to run embedded within ActiveX containers.