On Windows 7, the COMponents listed in the title seem by default to have the "killbit" set to COMPAT_EVIL_DONT_LOAD (compare MSDN), that is, their Compatibility Flags in HKLM\SW\IE\ActiveX Compatibility\{<CLSID>}\ seem to be set to that value by default:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}]
"Compatibility Flags"=dword:00000400
When I set the value to 0 (that's what Nirsoft's ActiveX Compatibility Manager does when "activating" a COMponent), everything works fine.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}]
"Compatibility Flags"=dword:00000000
But this is just a GUI solution for one workstation. To deploy our software, I need a safe and stable procedure (script or tool) to ship with our software, that not only sets the "killbit" to 0 or deletes the registry entry (which procedure should be preferred?), but checks the situation before and does nothing if nothing is necessary. Preferably, the solution would just be passed over a file name or a list of files and proceeds everything else necessary on its own.
This is the point where the bigger questions begin:
CLSID Registry Scanner (COM/ActiveX)
is my answer to my own question. It's working for now, that's important for me now. It would be a moot discussion if it was not better to rewrite or at least refurbish the program, or both independently, and get rid of old hats. Would be moot because I do not make our budget decisions.