One way to is to stop spyware from installing itself by using the 'kill bit' which blocks specific ActiveX controls. It marks that control as incompatible or not runnable.

ActiveX controls are identified by a number; the class identifier or CLSID. Each ActiveX component is given a CLSID which is listed under HKEY_CLASSES\ROOTCLSID. There is also a list of compatible ActiveX controls in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility which includes a flag to mark the control as dangerous.

To disable a particular control, add the CLSID to the compatibility list and mark it as dangerous.

To find the CLSID you can either ask the manufacturer. If that is not possible and the control is already installed then look for the human-friendly name in the default string listed in HKEY_CLASSES\ROOTCLSID. If the control is not installed, remove all other activeX controls, install the new one, and look it up in \HKEY_CLASSES\ROOTCLSID.

Once you've got the CLSID, either look it up in the 'ActiveX compatibility' list or add it if it doesn't exist. Then add the following subkey.

• name = 'Compatibility Flags'
• type = DWORD
• value = 400

You could also create a .REG file to block a specific ActiveX component. For example, one that blocks the CLSID {00000000-5eb9-11d5-9d45-009027c14662} would look like this:

REGEDIT4 [HKEY_LOCAL_MACHINESoftwareMicrosoftInternet ExplorerActiveX Compatibility{00000000-5eb9-11d5-9d45-009027c14662}] "Compatibility Flags"=dword:00000400

The site Spywareguide.com has a regularly-updated .REG file that contains over 300 ActiveX controls known to be spyware. The .REG file does not interfere with any other functions of IE or the system and can interoperate with other spyware-blocking products.

source: kb article 240797