As everyone should know, Internet Explorer is a very insecure browser, and daily use can quickly turn a Microsoft Windows PC into a spyware-ridden, spam-sending slow, unstable abomination. 
I don’t use IE at home, because Mozilla Firefox is infinitely better and more secure, but I’ve found that many people, even those otherwise educated and intelligent, think of “the Internet” as “the blue E”, and, when wanting to open a site, open IE without thinking.
So I had to do something about it.
Now, while I think that (as of mid-2005) it is still to early to implement this as official policy in a company (many bad sites or incompetently-designed intranet applications only work with IE - and sometimes only with a particular version), it can be useful in many home / small office networks.
Requirements
- a Unix-like machine (e.g. GNU/Linux or OpenBSD), possibly with 2 network cards, already running as a gateway for your network (this part is beyond the scope of this article)
- a firewall running on that machine (I use OpenBSD’s pf, but Linux’s iptables would also work) (again, firewall instructions go beyond the scope of this article)
- a Squid proxy server installation on the same machine, with the desired access configuration (including, possibly, authentication and such).
Steps
- configure your firewall not to allow direct HTTP (ports 80 and 443) and FTP (port 21) from the internal network (otherwise, users could just disable the proxy in the browser)
- change your Squid configuration like this:
Before the “allow” for your home network, insert the following:
acl msie browser MSIE acl getmozilla dstdomain .spreadfirefox.com acl getmozilla dstdomain .getfirefox.com # firefox download places always have "mozilla" in the URL acl getmozilla2 url_regex mozilla # the following use IE's engine # magic online acl exceptions_ie dstdomain .wizards.com # jre updates acl exceptions_ie dstdomain .java.sun.com acl exceptions_ie dstdomain .jdl.sun.com # stardock central acl exceptions_ie dstdomain .stardock.com # city of heroes acl exceptions_ie dstdomain .coh.com acl exceptions_ie dstdomain .cityofheroes.com acl windowsupdate dstdomain .windowsupdate.microsoft.com deny_info ERR_BAD_BROWSER msie http_access allow msie windowsupdate http_access allow msie getmozilla http_access allow msie getmozilla2 http_access allow msie exceptions_ie http_access deny msie
The exceptions are for some applications which (foolishly) use IE’s engine and identify themselves as it. You may not need these, and require different ones.
You should also create an ERR_BAD_BROWSER file (on the share/errors/English directory) for telling users that they’re using an insecure browser, and that IE is only for Windows Update, and for downloading Firefox. For example, here is mine:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV=”Content-Type” CONTENT=”text/html; charset=iso-8859-1″>
<TITLE>ERROR: The requested URL could not be retrieved</TITLE>
<STYLE type=”text/css”><!–BODY{background-color:#ffffff; font-family:verdana, sans-serif}PRE{font-family:sans-serif}–>
</STYLE>
</HEAD><BODY>
<H1>ERROR</H1>
<H2>The requested URL could not be retrieved</H2>
<HR noshade size=”1px”>
<P>
While trying to retrieve the URL:
<A HREF=”%U”>%U</A>
<P>
The following error was encountered:
<UL>
<LI>
<STRONG>
Insecure browser detected.
</STRONG>
<P>
Microsoft Internet Explorer (MSIE) is an insecure browser, and I don’t like it
being used in
my home. :) MSIE, and MSIE-based browsers such as AvantBrowser or NetCaptor,
can only be used for <a href=”http://windowsupdate.microsoft.com”>Windows
Update</a>, or for downloading <a
href=”http://www.spreadfirefox.com/?q=affiliates&id=2703&t=49″>Mozilla
Firefox</a>.</p>
<p>Please use a more secure browser such as <a
href=”http://www.spreadfirefox.com/?q=affiliates&id=2703&t=49″>Firefox</a> or Opera.
</UL>
<P>Your cache administrator is <A HREF=”mailto:%w”>%w</A>.
Addendum
Yes, the user agent string can be changed. But I’m counting on the fact that most IE users don’t even know what a “browser” is - they think that “the Internet is the blue E”, and that clicking on it is “opening the Internet” as mentioned before. I’m also counting on the fact that anyone who is technically knowledgeable enough to change IE’s user agent is also knowledgeable enough not to want to use IE.
Addendum #2
“Why not simply download Firefox and tell people to use it?”, you may ask.
It’s not that easy - even at MY place, guests tend to “click on the blue E” without thinking, even after I’ve told them about Firefox. It’s a difficult habit to break for many people. And I don’t believe in “fooling” them by disguising Firefox with a IE theme and switching the icon.
Besides, a lot of software uses the IE engine “under the hood”. You can fall victim to an IE hole even if you never open IE yourself.
Related posts:
RSS feed
This can be done much simpler. You can set the local proxy on IE to 127.0.0.1 running on any port. Then, in the advanced, you can put addresses in the allow box. It’s how I have mine set up.
Your method is good for settings where you have control of the internet connection and have lots of systems that you don’t want to individually have to modify, such as in a business setting.
However, it makes no sense in the case that you described where it’s a personal system that already has Firefox installed and you’re just worried about friends clicking on the ‘e’. It would be a lot simpler and more effective to configure a proxy in the “Internet Options” settings. Then any program that uses the IE engine - regardless of user-agent spoofing - will go through the proxy, which can be a simple program that you run on the same system (e.g. Privoxy.) This works without having a second system and all the other complications.
Honestly though I don’t understand your statement that you don’t believe in “fooling” people by removing or modifying the “blue e” shortcut. If they click on the ‘e’ and try to surf they’re just going to get a message saying they can’t, and that they should use firefox. If that’s your intention then I don’t see how it’s any different than just changing the ‘e’ shortcut to something that does the same thing without running IE (e.g. a simple messagebox that tells them to click on the firefox icon instead.)
Chris: that works, sure, but what if it’s more than one client PC? What if they’re not “yours”, and you’re only responsible for the gateway? Limiting the access there means that even new PCs will get the “Please use a secure browser” message
Brian: exactly, for just one PC it may be overkill. But last night, for example, a friend of mine took a laptop to my place, to rid it of spyware and such. And everything worked as I wanted: IE couldn’t access anything (I have it blocked in the firewall), so I configured the proxy in it; then it could only do two things: access Windows Update, and download Firefox or Opera.
As to hiding IE, as I said, I think it’s the wrong idea, but it’s just a personal opinion. I believe in educating users, which means that they should, eventually, choose Firefox. But I also know that it’s far from easy. From experience, allowing them to open IE but then get an error message saying it’s insecure works, eventually - most of the “victims” of my home network
have eventually changed - on their own - to Firefox at their homes.
But, yes, my way may not be perfect for every case… but then again, I never claimed it was.
Nice post. Insult your users.
“As everyone should know, Internet Explorer is a very insecure browser”
I must be doing something wrong. I don’t have spyware and I don’t get viruses? Could someone help me out. Should I visit more porn sites?
“I don’t use IE at home, because Mozilla Firefox is infinitely better and more secure”
Infinite huh? Wow that’s a whole lot better. What the hell was I thinking using IE?
“I’ve found that many people, even those otherwise educated and intelligent, think of “the Internet” as “the blue E”, and, when wanting to open a site, open IE without thinking.”
Gee. Sounds like me. And I even have a PhD. Again whatever was I thinking!
“So I had to do something about it.”
Of course you did. Us poor helpless users need someone to take charge. A good strong man to show us how it’s all done and what is what.
“many bad sites or incompetently-designed intranet applications only work with IE”
Aww shucks. My site only works with IE so it is incompetently designed? That award I won must have because someone felt sorry for me. Bad website! Bad!
Dan…. did Firefox shoot your dog or somthing? Alot of displaced rage here. It’s one guy on his blog telling what he did on his home network. Chill
Also if your site only works on IE then yes in fact it sucks. WC3 standards aren’t just for firefox, you exclude Safari users as well as the random Opera user. IE only is a sign of laziness in 90% of cases. Sometimes active scripting is vital to your functionality, but even then there really is not reason to choose activex.
It’s your site so feel free to do whatever you want with it. Just like this guy does with his blog. But you really can’t expect people to admire the fact that you can’t or won’t take the extra time to make your page univerally accessible.
A blog isn’t complete until it gets the first rude, sarcastic post. Less than 36 hours since creation, not bad.
Anyway…
1- it is possible to use IE and not get spyware, certainly - if you either go only to 2 or 3 sites, and never go anywhere else, or if you disable everything - javascript, java, activex, plugins, etc., and are clever enough never to install anything, never click on an ad, and never install a toolbar - although some install themselves without permission anyway. Or, maybe, if you have some resident anti-spyware program, like the paid version of Ad-Aware, which stops spyware as it tries to install itself. But I doubt that this is your case. You probably have spyware and are simply unaware of it, just like most people are.
2- apparently, being a PhD doesn’t teach you to look through alternatives and pick the best one - a PhD, apparently, uses what he is originally given, out of stubbornness if necessary. “I don’t want to know.” Good thing I’m not one.
No, seriously, the problem with PhDs and similar “highly educated” people is that they can be extremely knowledgeable about some particular fields, but that can lead them to be arrogant concerning fields they don’t know much about.
3- why does anyone make an IE-only site? Most do it because they don’t know any better - they can’t conceive of anyone not using Windows or IE, they don’t even know that there are other operating systems and browsers. Others do it because they don’t know anything about HTML or web standards - they use some abomination like Frontpage, which produces intentionally broken HTML code. Others are simply lazy - it’s easier to say “it only works with exactly the same OS and browser I tested it in” than to fix your own errors. And, lastly, some are, probably, simply stubborn.
And you (unfortunately) get awards for making pretty sites (which yours may well be), not solid, well-coded, standards-compliant ones. Ever heard of this?
Let me emphasize one additional aspect here:
I had switched to Mozilla, and later to Phoenix/Firebird/Firefox, many months before I implemented this thing in my home network. Even though I never launched IE (except for Windows Update), when I ran Ad-Aware (about every 2 weeks), I still encountered some “undesirables” - mostly tracking cookies, but sometimes other stuff. Not the “worst” kind of spyware, surely, but there was still stuff related to IE there. Why? Well, as I said, many programs use the IE engine - and they can do it without even opening a browser window!
After I implemented this solution, a few months ago, Ad-Aware and Spybot Search & Destroy have always detected zero spyware (except Spybot, which detects some harmless cookies in Firefox). I have stopped bothering to run those programs regularly, although I sometimes do it just for fun - or to show off my “toy” to more technically inclined friends.
Perhaps changing the icon so that when mom clicks on the E icon, it starts Firefox instead of IE could suffice. Most likely she will not figure out the difference.
Stephane: I answered that one in the third comment.
In short: this method works with more than 1 PC, it educates people instead of fooling them, and it also handles IE-based apps (which the “hiding IE” method doesn’t do).
> Aww shucks. My site only works with IE so it is incompetently designed?
> That award I won must have because someone felt sorry for me. Bad website! Bad!
Different strokes for different folks. Some people believe that publishing a website that does not comply with the web standards is not a good idea. Many people shrug this off because until recently, the vast majority of web surfers happened to use the same browser that the author uses. But this is just plain ignorance. If you don’t care that 10 to 20% (and rising) of your visitors will be somewhat-to-extremely annoyed with your choice of web authoring, then by all means go ahead.
But the whole point of standards is so that you can publish things that everyone can use - and I’m not just talking about Firefox vs. IE. I’m talking about blind people, mobile phones, automated spidering scripts, Google, and so on. When you write standards-compliant web pages, you make it easier for all of these people to use your site. When you write IE-only tag soup you are just breaking the web and the philosophy of which it was conceived. If you are smart enough to have been awarded a PhD surely you can see that there is some ignorance to forsaking standards and only caring about one certaining implementation of a web brower.
That you won an award for your site speaks well of its content, and not its coding or presentation.
FYI, to get rid of IE icon on Windows XP (and 2000 too perhaps) use following .reg file or just modify the registry manually:
————->8————->8————->8————->8————->8————-
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
“NoInternetIcon”=dword:00000001
————->8————->8————->8————->8————->8————-
You missed a point - if you tried to download Firefox via that link on your error page, you’d… get redirected straight back to your error page
Really? Have you tried it? I was able to download Firefox to a friend’s (spyware-infested) laptop, here, a couple of days ago…
“it is possible to use IE and not get spyware, certainly - if you either go only to 2 or 3 sites, and never go anywhere else, or if you disable everything - javascript, java, activex, plugins, etc., and are clever enough never to install anything, never click on an ad, and never install a toolbar”
did IE shoot your dog or something..?
i use firefox and i don’t like IE but what you just wrote simply isn’t true..
Andreas: from my experience, it is. And believe me, I have cleaned many friends’ PCs of spyware and viruses.
But nowadays I always do one thing: advise them to not use IE anymore (except for Windows Update), install Firefox on their (cleaned up) PC, and say “you’re free to use IE, but if you do so, I won’t help you with spyware and viruses again”.
Those who accept my advice never need my help again, even though they could have it.
Those who are stubborn, well, they usually end up asking other people, who tell them that the only thing to do is to format and reinstall Windows and/or charge money…
I suggest this test: pick ANYONE who uses only IE, then run Ad-Aware on their PC. I’ll even be generous: don’t count tracking cookies, bookmarks, or “deinstallable” (through “add/remove programs”) adware, but only “true” spyware. And tell me if you can find anyone whose PC is clean.
I used to use IE couple of years ago. I had no spyware, trojans or smth. like that. BUT! I used personal firewall which filtered all the traffic.
Now (about 1 year) I use FreeBSD on my desktop computer both at home and job.
“And tell me if you can find anyone whose PC is clean. ”
Mine. The other guy in my office. The 3 guys in the office next door. The guys in the office next door to that. Spyware simply does not install itself. The majority of spyware on PCs I’ve encountered has been due to the owner installing some “useful little tool” and that “tool” being crap. The only other instances have been when someone has visited a lot of porn/warez sites and installed the ActiveX controls without thinking.
IE is perfectly safe apart from ActiveX. So long as people think before they click “yes” to every dialog box that pops up, then then they’ll be safe. The only real reason for using Firefox is because you personally prefer it’s user interface.
“I believe in educating users, which means that they should, eventually, choose Firefox”
I have huge problems with this comment. You seem to be suggesting that anyone who doesnt use FireFox is a complete Idiot. Educating people should simply involve explaining the alternatives available, including advantages and *disadvantages* of all the options. It shouldn’t involve forcing FireFox upon them. How would you feel if you came round to my house and I forced you to use Opera?
There are good browsers out there (I do like Opera) but in my opinion IE is included.
BenN: it’s possible, although my experience tells me that it’s almost impossible that Ad-Aware can detect no spyware AT ALL in an IE user’s PC, unless that user only ever uses the company’s intranet sites - even the people in the IT department in my company, who know enough not to install crap or click “yes” automatically, had some spyware on their PCs a few weeks ago. Not “dangerous” spyware (the kind that ruins your PC if uninstalled), but spyware nonetheless.
And spyware DOES install itself - by exploiting vunlerabilities. A lot of people don’t have Automatic Updates turned on, and don’t know how updating your system is important - I’ve even seen people (not techs, of course) who, when asked “how often do you go to Windows Update”, answer “what’s that?”.
I don’t think anyone who doesn’t use Firefox is a complete idiot. I do believe, though, that anyone who uses IE, when there are so much better alternatives (for Windows, mainly Firefox or Opera) is either ignorant of reality, or absolutely stubborn (like my boss - his Windows is slower than everyone else’s here, even though the hardware is exactly the same, because he refuses to learn to use anything but IE :)).
“Securing” IE can theoretically be done, but not by a non-technical user - while installing Firefox is much, much easier.
I only use the Links web browser - the WWW Text-Only Browser (http://links.sourceforge.net). It’s safer than having unprotected sex with a nun.
No link love for Opera on your error page?
*tear*
I tried what you suggested. Mozilla Firefox seems to be far better than IE. I am not able to understand why people still stick on to IE!!
I think the whole problem here is not so much what you’re saying, but how you’ve chosen to say it. Maybe it’s because of how you come off, probably not on purpose, but it’s kind of arrogant. Yes I agree the Phd came off arrogant himself but in reality it was because of how angry it made him to read what you wrote. It was pretty easy to defeat his rant, he probably didn’t have much knowledge of the subject but just couldn’t resist saying something rude in response. I feel the same way, i see stuff like this all the time when i’m surfin and it ticks me off. But let’s not get into it because I’m sure you don’t mean to come off that way.
More on topic:
Aside from the non-compliance that is typical of Microsoft, it’s my opinion that a lot of the security problems in IE are because it’s so commonly used. They’re kind of like an easy target. But I’m sure there are a lot of problems in Firefox, just that nobody takes the time to find them. Similarly, we always assume that all these viruses etc that end up so widespread are because windows is bad, but if you were going to spend the time to make a virus, why wouldn’t you concentrate on the most widely used software? I really wonder if since Firefox is gaining more and more acceptance that we won’t start to see some specialized attacks on it? What are your guys opinions on this?
Liquor: please see Firefox, IE and market share, my rebuttal to the “Firefox only has fewer problems because fewer people use it” argument. I go into more detail there.
That argument seems to make sense initially, but it assumes that all software is of the same quality, that all development teams have the same competence, and the same development philosophy, and the same objectives. Which is simply not true.
Or, to put it in another way: Firefox has more than 10% market share now; therefore, in theory, it should have 1/10th of the security problems (not just in number, but in seriousness) IE has had during the same time, right? But that hasn’t happened.
And believe me, spammers and spyware makers would *love* to be able to install stuff on PCs through Firefox. But, so far, it’s been a door closed to them.
Nice blog, i have added it to my favourites, greetings