A security auditor should ensure that browsers throughout the company are set up to implement an agreed company-wide policy on which content should be downloadable/useable within the company.
The implications of allowing unsigned ActiveX controls and VB scripting within browsers, for example, should be considered very carefully (especially within the Internet zone) because such technologies, powerful though they are, bring with them huge security risks: They allow the downloaded content to interact with files and the operating system on the client machine.
Generally, the security risks of allowing Java applets and cookies via a browser are minimal (because Java has a built-in security runtime for applets, and cookies can write text files only to a particular directory, although their use may involve privacy issues).
For more information on the way in which browser settings can affect the types of content that may be downloaded, see http://www.microsoft.com/WINDOWS2000/techinfo/reskit/en-us/ierk/Ch07_c.asp.
To find out more about the kinds of risks in allowing different settings, see the following articles: