As everyone should know, Internet Explorer is a very insecure browser, and daily use can quickly turn a Microsoft Windows PC into a spyware-ridden, spam-sending slow, unstable abomination.

I don’t use IE at home, because Mozilla Firefox is infinitely better and more secure, but I’ve found that many people, even those otherwise educated and intelligent, think of “the Internet” as “the blue E”, and, when wanting to open a site, open IE without thinking.

So I had to do something about it.

Now, while I think that (as of mid-2005) it is still to early to implement this as official policy in a company (many bad sites or incompetently-designed intranet applications only work with IE – and sometimes only with a particular version), it can be useful in many home / small office networks.

Requirements

• a Unix-like machine (e.g. GNU/Linux or OpenBSD), possibly with 2 network cards, already running as a gateway for your network (this part is beyond the scope of this article)
• a firewall running on that machine (I use OpenBSD’s pf, but Linux’s iptables would also work) (again, firewall instructions go beyond the scope of this article)
• a Squid proxy server installation on the same machine, with the desired access configuration (including, possibly, authentication and such).

Steps

1. configure your firewall not to allow direct HTTP (ports 80 and 443) and FTP (port 21) from the internal network (otherwise, users could just disable the proxy in the browser)
2. change your Squid configuration like this:

   Before the “allow” for your home network, insert the following:

   acl msie browser MSIE
   acl getmozilla dstdomain .spreadfirefox.com
   acl getmozilla dstdomain .getfirefox.com
   # firefox download places always have "mozilla" in the URL
   acl getmozilla2 url_regex mozilla
   
   # the following use IE's engine
   # magic online
   acl exceptions_ie dstdomain .wizards.com
   # jre updates
   acl exceptions_ie dstdomain .java.sun.com
   acl exceptions_ie dstdomain .jdl.sun.com
   # stardock central
   acl exceptions_ie dstdomain .stardock.com
   # city of heroes
   acl exceptions_ie dstdomain .coh.com
   acl exceptions_ie dstdomain .cityofheroes.com
   acl windowsupdate dstdomain .windowsupdate.microsoft.com
   
   deny_info ERR_BAD_BROWSER msie
   
   http_access allow msie windowsupdate
   http_access allow msie getmozilla
   http_access allow msie getmozilla2
   http_access allow msie exceptions_ie
   http_access deny msie
   

   The exceptions are for some applications which (foolishly) use IE’s engine and identify themselves as it. You may not need these, and require different ones.

You should also create an ERR_BAD_BROWSER file (on the share/errors/English directory) for telling users that they’re using an insecure browser, and that IE is only for Windows Update, and for downloading Firefox. For example, here is mine:


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The requested URL could not be retrieved</TITLE>
<STYLE type="text/css"><!--BODY{background-color:#ffffff; font-family:verdana, sans-serif}PRE{font-family:sans-serif}-->
</STYLE>
</HEAD><BODY>
<H1>ERROR</H1>
<H2>The requested URL could not be retrieved</H2>
<HR noshade size="1px">
<P>
While trying to retrieve the URL:
<A HREF="%U">%U</A>
<P>
The following error was encountered:
<UL>
<LI>
<STRONG>
Insecure browser detected.
</STRONG>
<P>
Microsoft Internet Explorer (MSIE) is an insecure browser, and I don't like it
being used in
my home. :) MSIE, and MSIE-based browsers such as AvantBrowser or NetCaptor,
can only be used for <a href="http://windowsupdate.microsoft.com">Windows
Update</a>, or for downloading <a
href="http://www.spreadfirefox.com/?q=affiliates&id=2703&t=49">Mozilla
Firefox</a>.</p>
<p>Please use a more secure browser such as <a
href="http://www.spreadfirefox.com/?q=affiliates&id=2703&t=49">Firefox</a> or Opera.
</UL>
<P>Your cache administrator is <A HREF="mailto:%w">%w</A>.


Addendum

Yes, the user agent string can be changed. But I’m counting on the fact that most IE users don’t even know what a “browser” is – they think that “the Internet is the blue E”, and that clicking on it is “opening the Internet” as mentioned before. I’m also counting on the fact that anyone who is technically knowledgeable enough to change IE’s user agent is also knowledgeable enough not to want to use IE.

Addendum #2

“Why not simply download Firefox and tell people to use it?”, you may ask.

It’s not that easy – even at MY place, guests tend to “click on the blue E” without thinking, even after I’ve told them about Firefox. It’s a difficult habit to break for many people. And I don’t believe in “fooling” them by disguising Firefox with a IE theme and switching the icon.

Besides, a lot of software uses the IE engine “under the hood”. You can fall victim to an IE hole even if you never open IE yourself.