The company isnt going into details, but its an easy first guess that this configuration will be based on the "Internet Explorer Enhanced Security Configuration" feature in Windows Server 2003. The default configuration for IE 6 in Windows Server 2003, either for console users or Terminal Server users—even if logged in as Administrator—is a highly restricted environment.
ESC is also based on IE security zones. Here are some example settings:
By default, Internet and intranet sites are in the Internet zone. Intranet sites are not part of the Local Intranet zone unless you explicitly add them.
Did I say that IE is locked down "even if logged in as Administrator?" I should have said "especially if logged in as Administrator."
In the long run one hopes Microsoft will make it easier for normal users to run their computers conveniently without being an Administrator, although that may be asking for the inherently impossible.
The zone settings in the context of Windows Server 2003 probably assume active management by IT. With these settings users are going to be running into problems pretty frequently, assume they are reasonably free to surf around.
Of course, consumers are very free to surf around, and that has gotten many of them in trouble, by surfing to, for example, sites that install spyware and adware. A configuration like ESC would make this much harder, but it would also make it hard to view huge numbers of perfectly innocent sites.
Requiring users to add sites they want to view to the Trusted Sites zone wont cut it. Users will hate it. I think theyre going to hate whatever comes out anyway, because any reasonable set of restrictions that can be expected to have a positive effect will end up stopping a lot of users from doing unwise things they want to do. If this was easy, it would have been done long ago.
IE already has a variety of security "fine-tuning" settings that could be used to tighten the screws, and ESC adds some more, such as the ability to turn off all non-Microsoft browser extensions. As tempting as these are for making a browser more secure, its too much of a 180 for Microsoft to start restricting third-party enhancements like that.
We should all hope that Microsoft makes IE 7.0 more, rather than less restrictive, but we cant be under any misimpressions about whats possible.
Users dont like being told what they cant do. Getting used to working within restrictions is a necessary part of securing an environment, and the sooner Microsoft facilitates that the better.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.