How to Replace Internet ExplorerBy Steven Vaughan-Nichols | Posted 2004-07-06 Email Print
WEBINAR: On-demand webcast
Take Advantage of Cloud Backup to Kick-Start Your Disaster Recovery REGISTER >
Sick of IE's security problems? Alternatives are making headway, and we explain how to replace the browser with Mozilla Firefox.
If you believe, as I do, that Internet Explorer has just gotten too dangerous for everyday use, your next conclusion must be to move yourself and your clients to another browser. But now come the hard questions: Which browser do you use, and how do you migrate users?
Before I jump into those questions, though, let's go over the main alternatives.
The default attempt to stop IE from being exploited, as my fellow columnist Larry Seltzer points out, is to disable Active scripting and ActiveX in Internet Explorer. That's what CERT (the U.S. Computer Emergency Readiness Team) recommends; that's what Microsoft recommends; heck, that's what we've recommended.
But as Larry found out, there's one little problem with this approach: Internet Explorer without Active scripting and ActiveX fails, and fails badly, on many Microsoft-dependent sites.
Amazing as it may sound at first, non-Microsoft browsers, such as Opera, Mozilla and Firefox, actually work better even on heavily Microsoft-oriented sites. That's because they're already built to get around these sites' Microsoft bias. Internet Explorer, on the other hand, doesn't deal well without having its dangerously useful Active scripting and ActiveX at its beck and call.
In addition, although Larry doesn't go into it in detail, if you disable Active scripting and ActiveX controls in the Local Machine Zone—which you must do to really protect yourself from the latest exploits—you run into fundamental Windows compatibility problems. For example, I've found that Microsoft Help stopped functioning properly, and some Active Directory and NT-style Domain login scripts failed.
I'm sure I saw only the tip of the iceberg of compatibility problems. After all, most applications are going to be built with the assumption that all Local Machine Zone resources will always be available.
Adding insult to injury, making Local Machine Zone changes isn't a trivial matter. You'll need to do a lot of registry tweaking to get the best possible results from your system. Even then, you'll be left with some compatibility problems. In short, there is no way to secure Internet Explorer today that doesn't also cause incompatibility problems.
In theory, Windows XP SP2 (Service Pack 2) will stop these kinds of attacks. I don't think it will. As I've said many times before, Windows is still a single-user system with too powerful interapplication communications mechanisms in a networked world.
In any case, even if SP2 turns out to be a magic bullet for XP IE security problems, it won't do a darn thing for your users who are still working with Windows NT, 98, ME or 2000 desktops.
Microsoft would be foolish if it didn't deliver at least some of SP2's promised security goodies to non-XP users, but the boys from Redmond still haven't said whether they'll actually do it. And I, and other Microsoft watchers, are absolutely certain that SP2 will cause its own share of incompatibility problems.
No, it's time to move beyond Internet Explorer.
Which browser is best?
My personal pick for an IE replacement is Mozilla Firefox 0.91. It's free, so you can't argue with the price. It's also open source, which I believe makes it more likely to be secure than other, proprietary browsers. Yes, it is also beta software, but I've found it to be as stable as any mainstream browser.
Mind you, I have nothing against Opera Software ASA's popular Opera browser, and to the best of my knowledge, Opera has never had significant security problems. All other thing being equal, however, I believe that open-source programs not only offer more security, but also have shorter, faster development cycles.
So, what about Mozilla, Firefox's big, open-source brother? I like it, too, but personally, I prefer smaller, lightweight programs like Firefox. I find that managing applications that do one job and do it well is easier than administering do-it-all applications. Your technical support experience may vary.
Finally, for your IE users, out-of-the-Net Firefox already looks and acts a lot like IE, so it should prove the easiest transition for them.
All of these are general principles, though. Before deciding what browser you want to deploy, you need to find the one that will work best with your users' business Web server applications.
Unfortunately, many Web site applications require IE. Sometimes, the underlying reasons are pointless, FrontPage-based Web page coding laziness. Other times, the site really will work with alterative browsers, but it's been coded by design to work badly with other browsers.
As one horribly overworked IT manager who wants badly to switch to Firefox told me, "My customers use a dozen or so [internal] Web sites that they access on a daily basis. Guess how many are fully functional under Firefox? Uh, that would be 'none of them.'"
So, what can you do? Well, for one thing, you can start weaning your site designers away from the dangerous combination of Active scripting, ActiveX and IIS (Internet Information Server), but that's another story for another day. As we've already seen, though, chances are good that these sites are going to start giving their users fits anyway once they start using secured IE installations.
But there are several interim solutions for Firefox and Mozilla users that make IE-specific sites more usable. The first of these is the ieview plug-in. What this simple Mozilla for Windows extension does is add a menu choice on right-clicking on a link to include an "Open link target in IE" menu item. Right-clicking elsewhere in the main body of the page, but not within an image, text box, etc., gives users the choice of "View this page in IE."
Another useful approach is to have Firefox present itself to a site as another supported browser. In Opera, this functionality is supplied by the 'Browser Identification' feature, but Firefox doesn't have this built in. However, there is a User Agent Switcher extension, which gives both Mozilla and Firefox this functionality.
Ideal? No. But I've found both to be useful, and it just might be enough for your users to kick their dangerous IE habit for everyday use.
Note that I say everyday use. On Windows XP systems, you simply can't get rid of IE. Some vital functionality, such as Windows Update, requires IE.
If you really want to, you can get rid of IE on Windows 98 and ME with LitePC Technologies Pty Ltd.'s 98lite Professional v4.7. The Australian company's program, which works with Windows 98, 98SE and ME, modularizes Windows features, applets and subsystems into optional components. Over the years, it's done very well for me, and I've used it to install those versions of Windows on low-powered systems.
While LitePC also has a program, XPlite and 2000lite Professional v1.2, that tries to do the same thing for XP, in my informal testing, a lot of IE infrastructure remains in XP even after IE is deactivated.
In any case, though, before deciding what browser to roll out, you'll need to go over the sites your users actually need—ESPN doesn't count!—and see what browsers work best with them. If one browser works better with the work sites, then that's the one you should use.
Setting up Firefox
Your next step will be to create appropriate settings for your browser of choice. Besides the usual drill of setting up home pages, you'll need to set up the helper applications on your master deployment package.
You'll want to do this even if you normally let users set up their helper applications because we both know they're going to think their new browsers are broken when they can't use say Adobe Acrobat or Macromedia Flash. It's far better to set up the browsers with the helper applications first.
Unfortunately, not all helper applications will work with alternative browsers. Things are getting better, though. Three of the major plug-in vendors, Macromedia Inc., Sun Microsystems Inc. and Adobe Systems Inc., are working together with the major alternative browser vendors to standardize script implementation for the popular Netscape Plug-In API (Application Program Interface).
You should also be careful to make sure that a given plug-in will work properly with the browser. For example, Adobe Acrobat 6.0/.0.1 and Mozilla Firefox don't do well together. If you and your users use Acrobat a lot, as is almost certainly the case, you should install the older Adobe Acrobat Reader 5.1 or upgrade to Adobe Reader 6.0.2.
In those cases, I've set up the system so that the user clicks on an icon for these sites and that automatically bring up IE for that particular application.
Is migrating from IE to another browser worth the trouble? Only you and your customers can answer that question. But when you consider just how huge IE's security hole is, and how you really can't fix it without rendering IE somewhat ineffective ... well, what can I say except that while writing this article, I was migrating yet another machine.