10 IE Browser Settings for Safer Surfing

Ask a room full of security practitioners for a list of security settings that'll make Internet Explorer (IE) safe to use and you'll either hear laughter or advice to get a new browser like Mozilla Firefox, Opera, Safari or Google Chrome.

Browser Showdown: IE 8 vs. Firefox
Browser battle: Firefox 3.1 vs. Chrome vs. IE 8

Even as Microsoft has worked diligently to improve security in its troubled browser, especially in IE7 and the newly-released IE8, security pros simply don't trust it. Most have turned to alternative browsers, especially Firefox. [See: Microsoft Releases IE8, Stresses Security]

But the intoxication security pros find in Firefox and the other alternatives comes with a big hangover. When one wakes up from an evening of online adventuring on one of the alternative browsers, the painful reality is that they will never be able to get away from IE completely. The obvious reason is that IE is so tightly integrated into the Windows operating system, though some industry voices have called on Microsoft to divorce it from the OS. [See: Security Expert: Microsoft Should Sever IE from Windows]

"We aren't going to be able to get away from IE in the corporate world anytime soon," said Christopher Mendlik, a threat analyst at Wachovia. Besides the tight integration with Windows, there's the simple reality that some business applications will only work when used in IE. At CSOonline and other media outlets, for example, the programs used to post content online tend to be allergic to non-IE browsers.

Those who have no choice but to use IE have turned to a number of coping mechanisms.

Mendlik chooses to lock down IE with group policies, stay on top of new patches and deploy content filtering on a proxy/firewall with real-time blacklists. He also monitors internal and outgoing connections like a hawk for any unusual activity.

Thomas Evans, a Cleveland-based network security administrator, suggested installing Sandbox for IE, which allows users to run any program in a "sandbox" and confine any damage done to the sandbox and virtual registry. "When the [browsing] session is over, you can delete everything associated with it safely. If you do get something via drive-by it won't get out to do damage," he said.

In addition to these measures, CSOonline went in search of 10 essential security settings to make an online ride on the IE bandwagon safer. Here's a list of 10 provided by Jeff Forristal, a senior security engineer with cloud security vendor Zscaler:

1. Disable XPS documents

Tools/Internet Options/Security tab/Internet zone/Custom Level/XPS Documents: disable. XPS documents are a new image format that was introduced in Vista, Forristal said. Attackers have been having a field day exploiting image/document formats and parsers, so the fewer formats your browser supports, the better.

Downside: This can affect simple XPS document viewing, but you can get a standalone XPS viewer from MS that doesn't require IE, he said.

2. Disable font download

Tools/Internet Options/Security tab/Internet zone/Custom Level/Font download: disable.