Lock down Internet Explorer

Unlike safer operating systems, Windows has a built-in web browser, Microsoft Internet Explorer, that is unsafe and cannot be removed. Users can’t fix a design error, but it can be mitigated somewhat by locking down the browser.

Microsoft Internet Explorer is widely regarded by security experts as being fundamentally unsafe and should not be used or even installed. Some people are forced to use it, however: some employers require its use, as do some online government services. More fundamentally, it is built in to Windows and the operating system uses it daily even if the user doesn’t. Removal is thus not an option. Windows users can, however, lower the risk by:

  1. Ensuring it is fully patched and up to date
  2. Locking it down as tightly as possible, so that the operating system’s use of it becomes less risky
  3. Using a more secure browser, so your actions don’t put you at risk

Microsoft offers patches to Internet Explorer through Windows Update. Check your Windows Update settings (Control Panel – Windows Update) to ensure that recommended updates are installed automatically; this will ensure that Internet Explorer is kept patched.

Major version updates to Internet Explorer are also offered through Windows Update, but these are not installed automatically and require user intervention to install. Periodically check Windows Update for newer versions of Internet Explorer to install.

You can automate this process by installing a software security audit tool such as Secunia PSI.

Tighten Internet Explorer’s security settings as described in this article. (I agree with the article’s advice even though I take exception to its misleading title.)

Some software and web sites that require Internet Explorer will not work with the above settings, so you will have to make exceptions for them. To do this, launch Internet Explorer and open Tools – Internet Options – Security. Select Trusted Sites and press “Sites”. Add the appropriate URL. For example, to allow Secunia PSI to do its job, add “https://psi.secunia.com/”. Press “Close” and then “Accept”.

TODO: Investigate if this has to be done in each user’s account.

Windows uses Internet Explorer, but most users don’t have to. Download and install a safer browser such as Opera (safest) or Firefox.

Now set the new browser as default. In Windows Vista and later, this is done as administrator in Control Panel – Programs – Default Programs – Configure Access and Default Programs on the Computer – Personalized. In “Select a web browser”, select the new web browser. Unless the end user has a particular need for Internet Explorer, remove user access to it by clearing Internet Explorer’s option “Enable access to this program”.


About Warren Post

So far: Customer support guy, jungle guide, IT consultant, beach bum, entrepreneur, teacher, diplomat, over-enthusiastic cyclist. Tomorrow: who knows?
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

2 Responses to Lock down Internet Explorer

  1. Pingback: Securing a Windows computer | Warren's tech notes

  2. Pingback: Enabling IBM Dominio Web Access in Internet Explorer | A maze of twisty little passages

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s