IE 7.0s Future Is in 2003

By Larry Seltzer  |  Posted 2005-06-07 Print this article Print

Opinion: Microsoft has seen the future for browsers and it's a restrictive one—but the right decision isn't always easy.

When users run into trouble using Internet Explorer its not often with innocent and standard HTML functions, but with fancier features like ActiveX controls and scripting. This is why, as we have reported, Microsoft is planning to default IE 7 to a lower rights configuration. The company isnt going into details, but its an easy first guess that this configuration will be based on the "Internet Explorer Enhanced Security Configuration" feature in Windows Server 2003. The default configuration for IE 6 in Windows Server 2003, either for console users or Terminal Server users—even if logged in as Administrator—is a highly restricted environment. ESC is also based on IE security zones. Here are some example settings:
    Zone   Security Level
    Internet   High
    Trusted Sites   Medium
    Local Intranet   Medium-Low
    Restricted Sites   High
By default, Internet and intranet sites are in the Internet zone. Intranet sites are not part of the Local Intranet zone unless you explicitly add them.
Did I say that IE is locked down "even if logged in as Administrator?" I should have said "especially if logged in as Administrator." In the long run one hopes Microsoft will make it easier for normal users to run their computers conveniently without being an Administrator, although that may be asking for the inherently impossible. The zone settings in the context of Windows Server 2003 probably assume active management by IT. With these settings users are going to be running into problems pretty frequently, assume they are reasonably free to surf around. Of course, consumers are very free to surf around, and that has gotten many of them in trouble, by surfing to, for example, sites that install spyware and adware. A configuration like ESC would make this much harder, but it would also make it hard to view huge numbers of perfectly innocent sites. Requiring users to add sites they want to view to the Trusted Sites zone wont cut it. Users will hate it. I think theyre going to hate whatever comes out anyway, because any reasonable set of restrictions that can be expected to have a positive effect will end up stopping a lot of users from doing unwise things they want to do. If this was easy, it would have been done long ago. Read more here about Microsofts planned enhancements to Internet Explorer. IE already has a variety of security "fine-tuning" settings that could be used to tighten the screws, and ESC adds some more, such as the ability to turn off all non-Microsoft browser extensions. As tempting as these are for making a browser more secure, its too much of a 180 for Microsoft to start restricting third-party enhancements like that. Click here to read about Mozillas browser updates in reaction to planned IE 7.0 developments. We should all hope that Microsoft makes IE 7.0 more, rather than less restrictive, but we cant be under any misimpressions about whats possible. Users dont like being told what they cant do. Getting used to working within restrictions is a necessary part of securing an environment, and the sooner Microsoft facilitates that the better. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel