I just received a helpful email from Christian Jacobsson. Christian has isolated the basic security settings required to enable IE7.
- Script ActiveX controls marked safe for scripting
- Enable activeX controls and plugins (also affects Flash)
- Behavior for binary code and scripts (required by the PNG solution)
By default, all of the above settings are turned on.
IE7 uses ActiveX to load external CSS files. There is a way to load CSS files without ActiveX but it would require the files to be marked up as XML. This is not as easy as it sounds as the resulting file should also be valid CSS. However, thanks to Jimmy Cerra, there is a solution to this. I will probably add the option to use this markup style and avoid the dependency on ActiveX.