See the question and my original answer on StackOverflow

If you just need to kill the ActiveXObject feature which is the entry point to the system, you can silently append some lines to the code you give to the Script Control, like this for example:

ActiveXObject = null; // add this silently

function test(){
    var shell = new ActiveXObject("WScript.shell"); // this will now fail
    shell.run("notepad.exe", 1);
}

Of course, if you still need to give some functions to your users, you will then need to propose some sort of an API, use the AddObject function (see How To Use the AddObject Method of the Script Control), and the user would use it like this:

ActiveXObject = null; // add this silently

function test(){
   // this is a controlled method, because I have added a MyAPI named object
   // using AddObject, and this object has a OpenNotepad method.
   MyAPI.OpenNotepad();
}

PS: WScript is a, ActiveX Scripting host, so it's not accessible from the Script Control.

PS2: This hack does not work in every Script Control underlying languages. It works in JavaScript, but not in VBScript for example.