If you are still using Internet Explorer version 6, you should read the following instructions on beefing up security protection. 

1. IE Security Zones 

2. Alternate Browsers

Recommendation: Upgrade to the new Internet Explorer 7 version which provides much greater security than version 6.

Version 7 released and more secure! Microsoft released Internet Explorer 7 for Windows XP on October 18, 2006.  Internet Explorer 7 for Windows XP is now publicly available at www.microsoft.com/ie. With this release, Microsoft is strongly encourages all users to upgrade to Internet Explorer 7. Users can upgrade immediately by downloading the software from the Microsoft Download Center or by installing the software when it is distributed by Windows Automatic Updates and they’re presented with the installation screen. Internet Explorer 7 is available now in two versions: a stand-alone version for Windows XP Service Pack 2, Windows XP Professional x64 Edition, and Windows Server™ 2003 as well as an enhanced version built into Microsoft Windows Vista™ to take advantage of new features of the Windows Vista platform.

 

Is IE 7 Really More Secure Than IE 6?
October 24, 2006   By Brian Livingston  Source

Microsoft released its long-awaited Internet Explorer 7.0 browser on Oct. 19. The free download allows Windows users to replace IE 6.0, which hasn't had a serious feature update since it first came out in 2002. 

IE 6 has been a serious PP problem for the Redmond software company, producing a string of warnings -- seemingly every month -- that its code is vulnerable to drive-by downloads and other ills that can be exploited by hacker Web sites. 

The good news is that IE 7 resolves many of these security weaknesses, some of which Microsoft never got around to patching in IE 6. The new version of the browser isn't perfect, however, so you still have problems to be aware of. 

 

QUICK SUMMARY - Better Security in IE 7  IE 7 includes more security enhancements than can be described here. But a short list of the most important changes would have to include the following:  • Better zone control. IE 6's "trusted sites zone" gives vast power to Web sites to install programs on visitors' machines and take other actions. As a result, IE 7 by default gives this zone only the same privileges as sites in the "Internet zone." You can easily increase the capabilities of trusted sites, but this requires some knowledge that the average user doesn't have. Another improvement is that the "intranet zone," which also gives elevated privileges to sites, doesn't exist in home versions of Windows. This opens up fewer opportunities for Web sites to pose as "intranet" sites.  • ActiveX opt-in. Many troubles with IE 6 over the past few years have involved "active content," usually in the form of ActiveX controls. This Microsoft-invented technology allowed Web sites to install code and do other nasty things on visitors' PCs. IE 7 by default doesn't run such code, protecting novices against attacks from untrustworthy sites.  • Phishing filter. Microsoft maintains a large database of sites that appear to be posing as banking sites to capture passwords from gullible recipients of "phishing" e-mails. IE 7 warns the user when the browser is visiting a site in this database. Surprisingly, the phishing filter is not enabled by default. You need to turn it on, which is simple because IE 7 invites you to do this the first time it's opened.  • Protected Mode. Available only when IE 7 is running on Windows Vista -- not XP or 2003 -- Protected Mode prevents Web sites from modifying system files or settings. This should provide users with even greater protection against rogue sites.

 

DETAILS - Protection Against Malware

Here is Microsoft's take on the new security improvements residing under the hood of IE 7. From Microsoft's IE 7 Technology Overview we read:

Malware, short for malicious software, refers to software applications designed to damage or disrupt a user’s system. The proliferation of malware and its impact on security is a driving force behind the design of Internet Explorer 7. The new version has been improved to reduce the potential for hackers to compromise a user’s browser or system. In addition, Internet Explorer 7 includes several technical features designed to thwart hackers’ efforts to lead users into giving away personal data when they should not. Core parts of the browser’s architecture also have been fortified to better defend against exploitation and improve the way the browser handles data.

URL Handling Protections

Historically, attackers have taken advantage of internal code design issues within the Web browser to attack a system. A hacker would rely on a user clicking on an HTML link referencing some type of malformed URL that contains odd or excessive characters. In the process of parsing the URL, the system’s buffer would overflow and execute some code the hacker wanted to install. Given the size of Web browser application code, the most efficient solution to fixing these types of attacks was to issue updates as each was discovered and the root cause identified. Yet even with only a handful of such updates required, the more optimal solution was to rewrite the baseline application code. Internet Explorer 7 benefits from these experiences and the analysis of attack signatures. Rewriting certain sections of the code has drastically reduced the internal attack surface of Internet Explorer 7 by defining a single function to process URL data. This new data handler ensures higher reliability while providing greater features and flexibility to address the changing nature of the Internet as well as the globalization of URLs, international character sets and domain names.

ActiveX Opt-In

Internet Explorer offers Web developers the ActiveX^® platform as a mechanism to greatly extend browser capabilities and enhance online experiences. Some malicious developers have co-opted the platform to write harmful applications that steal information and damage user systems. Many of these attacks were made against ActiveX Controls shipped within the Windows operating system, even though the controls were never intended to be used by Internet-facing applications. Internet Explorer 7 offers users a powerful new security mechanism for the ActiveX platform. ActiveX Opt-In automatically disables entire classes of controls — all controls the user has not previously enabled — which greatly reduces the attack surface. This new feature mitigates the potential misuse of preinstalled controls. Users will now be prompted by the Information Bar before a previously installed but as-yet unused ActiveX Control can be accessed. This notification mechanism will enable users to permit or deny access when viewing unfamiliar Web sites. For Web sites that attempt automated attacks, ActiveX Opt-In protects users by preventing unwanted access and giving the user total control. If the user opts to permit loading an ActiveX Control, the appropriate control is easily enabled by clicking in the Information Bar.

Protection Against Cross-Domain Scripting Attacks

Cross-domain scripting attacks involve a script from one Internet domain manipulating content from another domain. For example, a user might visit a malicious page that opens a new window containing a legitimate page (such as a banking Web site) and prompts the user to enter account information, which is then extracted by the hacker. Internet Explorer 7 has been improved to help deter this malicious behavior by appending the domain name from which each script originates and limiting that script’s ability to interact only with windows and content from that same domain. These cross-domain script barriers will help ensure that user information remains in the hands of only those the user intentionally provides it to. This new control will further protect against malware by limiting the potential for a malicious Web site to manipulate flaws in other Web sites and initiate the download of some undesired content to a user’s PC. 

Protected Mode

Available only to users running Internet Explorer 7 in Windows Vista, Internet Explorer Protected Mode will provide new levels of security and data protection for Windows users. Designed to defend against “elevation of privilege” attacks, Protected Mode provides the safety of a robust Internet browsing experience while helping prevent hackers from taking over the browser and executing code through the use of administrator rights.

In Protected Mode, Internet Explorer 7 in Windows Vista is unable to modify user or system files and settings. All communications occur via a broker process that mediates between the Internet Explorer browser and the operating system. The broker process is initiated only when the user clicks on the Internet Explorer menus and screens. The highly restrictive broker process prohibits work-arounds from bypassing Protected Mode. Any scripted actions or automatic processes will be prevented from downloading data or affecting the system. Specifically, Component Object Model (COM) objects will only be self-aware and will have no reference information by which to identify and attack other applications or the operating system.

Internet Explorer Protected Mode helps protect users from malicious downloads by restricting the ability to write to any local machine zone resources other than temporary Internet files. Attempting to write to the Windows Registry or other locations will require the broker process to provide the necessary elevated permissions. Internet Explorer Protected Mode also offers tabbed browsing security protection by opening new windows — rather than new tabs — for content contained outside the current security zone.

Fix My Settings

Knowing that most users are likely to install and operate applications using the default configuration, Internet Explorer 7 ships with security settings designed to provide the maximum level of usability while maintaining controlled security.  There are legitimate reasons why a custom application may require a user to lower security settings from a default, but it is critical the user reverse those changes when they are no longer needed.  Internet Explorer 7 introduces users to the new Fix My Settings feature to keep users protected from browsing with unsafe settings.  This new feature in Internet Explorer 7 warns users with an Information Bar when current security settings may put them at risk.  When a user makes changes in the security settings window, they will see settings automatically highlight in red if they modify certain critical items.  In addition to dialog alerts warning the user about unsafe settings, the user will be reminded by the Information Bar as long as the settings remain unsafe.  Users can instantly reset the security settings to the ‘Medium-High’ default level by clicking the ‘Fix My Settings’ option in the Information Bar.

Advanced Protection Against Spyware With Windows Defender

Microsoft Windows Defender enhances security and privacy protections when used with Internet Explorer 7. Extending the protections against malware at the browser level, Windows Defender helps prevent malware entering the machine via piggy-back download, a common mechanism by which spyware is distributed and installed silently along with other applications.

Although the improvements in Internet Explorer 7 cannot stop non-browser-based spyware from infecting the machine, using it with Windows Defender will provide a solid defense on several levels. Windows Defender is available for Windows XP and is also in Windows Vista.

Personal Data Safeguards

Most users are unaware of how much personal, traceable data is transmitted with every click of the mouse while they are browsing the Web. The extent of this information continues to grow as browser developers and Web site operators evolve their technologies to enable more powerful and convenient user features. Similarly, most online users are likely to have trouble discerning a valid Web site from a bogus copy.

The extent to which convenience and discount pricing are available online gives users an attractive reason to click and buy. The Internet enables any large or small business to easily create an online storefront for selling goods, enabling the business to reach a consumer audience well beyond traditional physical and geographic boundaries. Search engine marketing efforts allow these Web sites to establish instant consumer credibility and reach millions of users through some of the largest search engines or portal Web sites. The combination of these factors creates situations in which consumers are dealing with distant businesses and left with fewer concrete mechanisms to differentiate legitimate businesses from those seeking to collect their information for improper gain. Another challenge facing users is the ability for malicious Web site operators to abuse the same search listing services to attract unsuspecting consumers to knockoff Web sites designed to mimic the appearance and function of well-known and trusted businesses.

A technique used by many malicious Web site operators to gather personal information is known as phishing — masquerading online as a legitimate person or business for the purpose of acquiring sensitive information. Such fake Web sites designed to look like the legitimate sites are referred to as spoofed sites. Over the past year, phishing attacks have been reported in record numbers, and identity theft is emerging as a major threat to personal financial security. In the past two years, the number of confirmed phishing sites has grown twenty-fold — from 580 to more than 11,000 (source: Anti-Phishing Working Group, April 2006 report).

Unlike direct attacks where hackers break into a system to obtain account information, a phishing attack does not require technical sophistication but instead relies on users willingly divulging information such as financial account passwords or Social Security numbers. These socially engineered attacks are among the most difficult to defend because they require user education and understanding rather than merely issuing an update for an application. Even experienced professionals can be fooled by the quality and details of some phishing Web sites as hackers become more experienced and learn to react more quickly to avoid detection.

Internet Explorer 7 offers a range of enhancements and solutions to better protect against malicious Web site operators and help prevent users from becoming victims of confusing URLs. The new Security Status Bar, located next to the Address Bar, is designed to help users quickly differentiate authentic Web sites from suspicious or malicious ones. In addition, Internet Explorer provides a simple file cleanup utility.

Certificates also play an essential role for users in validating e-commerce Web sites and helping to thwart phishing scams. The Security Status Bar in Internet Explorer 7 enhances access to certificate information by placing it more prominently in front of users and providing single-click access to the certificate.

Extended Validate Certificates

Over the past few years, Web browser users have been introduced to the concept of encrypted communications and secure sockets layer (SSL) technologies to better protect their information from being obtained by third parties. Although many users have become quite familiar with SSL and its associated security benefits, a large proportion of Internet users remain overly trusting that any Web site asking for their confidential information must be protected. With the explosion of small- and home-based business Web sites selling goods that span the pricing spectrum, users are even more likely to encounter unknown entities asking for their financial information. The combination of these factors creates a situation ripe for abuse. Internet Explorer 7 addresses this issue by providing users with clear, prominent, color-coded visual cues to the safety and trustworthiness of a Web site. With the assistance of Internet Explorer 7 to help identify legitimate Web sites, users can more confidently browse and shop anywhere on the Internet.

Previous versions of Internet Explorer placed a gold padlock icon in the lower-right corner of the browser window to designate the trust and security level of the connected Web site. Given the importance and inherent trust value associated with the gold padlock, the new Security Status Bar places it more prominently in users’ line of sight. Users can now view the certificate information with a single click on the padlock icon. The Security Status Bar also supports information about Extended Validation certificates for those sites meeting guidelines for better entity identity validation. Users can benefit from support for Extended Validation certificates by having instant visual access to the increased validation of authenticity for a given Web site. To provide users with another visual cue designed to help them recognize questionable Web sites, the padlock now appears on a red background if Internet Explorer 7 detects any irregularities in the site’s certificate information. By contrast, trusted Web sites will clearly display the name of the certificate owner and a gold background to indicate that users can provide confidential data.

Microsoft Phishing Filter

Developers of phishing and other malicious activities thrive on lack of communication and limited sharing of information. Using an online service that is updated several times an hour, the new Phishing Filter in Internet Explorer 7 consolidates the latest industry information about fraudulent Web sites and shares it with Internet Explorer 7 customers to proactively warn and help protect them. The filter is designed around the principle that, to be effective, early warning systems must derive information dynamically and update it frequently.

The Phishing Filter combines client-side scans for suspicious Web site characteristics with an opt-in online service. It helps protect users from phishing scams in three ways:

1.      It compares the addresses of Web sites a user attempts to visit with a list of reported legitimate sites that is stored on the user’s computer.

2.      It analyzes sites that users want to visit by checking those sites for characteristics common to phishing sites.

3.      It sends the Web site address that a user attempts to visit to an online service run by Microsoft to be checked immediately against a frequently updated list of reported phishing sites.

Internet Explorer 7 uses the Security Status Bar to signal users (in yellow) if a Web site is suspicious. The example below shows a site that is attempting to spoof a legitimate Woodgrove Bank site.

If the Web destination has been confirmed as a known phishing site, Internet Explorer 7 signifies the threat level in red and automatically navigates the user away from that site.

URL Display Protections

Hackers commonly attempt to mislead users into thinking they are looking at information from a known and trusted source. A valuable hacking tool has been the ability to hide true URL information and domain names from users. Internet Explorer 7 contains two powerful visual tools to help prevent users from being duped: an Address Bar in every window and Internationalized Domain Name (IDN) support.

Address Bar in Every Window

With Internet Explorer 7, all browser windows require an Address Bar. Because hackers often have abused valid pop-up window actions to display windows with misleading graphics and data as a way to convince users to download or install their malware, the requirement of an Address Bar in each window will help ensure that users always know more about the true source of information they are seeing.

IDN Display Protections

Internet Explorer 7 natively delivers full IDN functionality and display protections. The Internet incorporates a global community, and browsers must be able to handle non-English characters and domain names. Operators of malicious Web sites have used international character display issues as a mechanism for phishing attacks against users and as a way to hide the true Web site domain name. The problem derives from international alphabets; many characters in certain languages (e.g., the letter “a” in English) can resemble entirely different characters in other languages (e.g., the letter “а” in Cyrillic). As a result, an individual with malicious intent may register a similar domain name to fool users into submitting their content to a false site. Previous versions of Internet Explorer did not have IDN support and thus were not vulnerable to this attack. Internet Explorer 7 not only delivers native IDN support but also provides extensive security mechanisms to protect users from attack. One of the core security features of IDN support in Internet Explorer 7 is the multiple language display in the Address Bar.

 

Internet Explorer 7 IDN rules force the display of the Punycode domain name format when multiple character sets are contained within a single domain name label. For example, the URL http://www.microsóft.com would be displayed in Punycode since it mixes both the French and English character sets in the same label portion. The address bar would display http://www.xn--microsft-03a.com, alerting the user and calling attention to the suspicious URL. The URL http://ŵŵŵ.microsoft.com would be displayed correctly because the language character sets are contained in separate labels.

Delete Browsing History for Better Protection of Privacy and Passwords

All Web browsers provide mechanisms to delete history information, clean the cache, erase automatically completed form history and clear the Start/Run history. The removal of this data requires deleting each set individually, and not all the necessary removal buttons are located on a single screen or within one application. Internet Explorer 7 provides a Delete Browsing History option that provides users with one-click cleanup to easily and instantly erase personal data. Delete Browsing History is especially valuable in shared-resource environments. Accessing online resources using a friend’s computer seems harmless enough, but the user then becomes reliant on the security of the friend’s system to protect his or her data. Likewise, in public environments such as libraries, schools and conference centers, computers may be used by hundreds of people and potentially expose personal data and history information to every one of those users. Delete Browsing History provides a simple mechanism to instantly erase information and eliminate any concern for data privacy on other systems. It is another way Microsoft is working proactively to deliver tools that improve user safety and data protection.

Parental Controls

Internet Explorer 7 in Windows Vista provides additional security and privacy mechanisms by utilizing a network layer filter component. Available to all Windows Vista applications, this network layer service allows parents to establish filter controls for objectionable content or define a specific set of allowable Web sites to browse. Internet Explorer 7 in Windows Vista works directly with the Parental Controls service to provide easy access to logging information and a single interface for managing settings. The Parental Controls service can also be set to block file downloads, offering another way to prevent malware from getting on a system. If Parental Controls are set to block downloads, Internet Explorer 7 in Windows Vista will automatically block the file unless the user is able to provide the appropriate administrative password. If Parental Controls are set to permit file downloads, all downloads will be logged for review at a later time. If a child attempts to access a page with mixed content — data contained both on and off the allowable list of Web sites — Internet Explorer 7 in Windows Vista will present the user with an Information Bar to request permission from a parent to approve the download. When the entire page is blocked, an error page is displayed that also provides a link allowing the child to request permission.

 

DETAILS - WHAT ABOUT LOOK and FEEL?

NEW FEATURES IN IE7 FOR THE USER

Makes Everyday Tasks Easier

Browsing the Web is one of the top activities of PC users. As the Web has become more complex yet more mission-critical, personal and professional PC users are no longer satisfied with being able merely to navigate to one page at a time; they want easier ways to search from multiple places for information they care about. The ability to easily search and consume multiple sources of information daily has become a necessity — whether for looking at favorite news sites, consulting intranet sites, managing finances, performing research, shopping, sending e-mail or even blogging.

To enable today’s savvy Internet users to perform everyday tasks more productively and efficiently, Internet Explorer 7 has been redesigned with new and enhanced capabilities.

PC users can use tabbed browsing, inline toolbar searching, and shrink-to-fit Web page printing capabilities; can discover, preview and subscribe to Web feeds; and can employ Internet Explorer’s cleaner, sleeker user interface to maximize the amount of screen real estate devoted to the Web pages they care about.

New Look

“Frame” is a term that refers to the way the browser’s user interface is laid out. In Internet Explorer 6, the default frame includes menus at the top and a row with buttons for Back, Forward, Stop, Home, Go and so on; below that is the Address Bar.

Internet Explorer 6

Internet Explorer 7

In Internet Explorer 7, the frame is reorganized to make it noticeably simpler, more streamlined and less cluttered with unnecessary items. The goal is to maximize the screen real estate devoted to the Web pages that users want to view.

The Back and Forward buttons are smaller and have been moved next to the Address Bar. The Windows flag icon in the upper-right corner of Internet Explorer 6 has been removed to make room for the Instant Search box. Microsoft has invested heavily in the user interface improvements in Internet Explorer 7, and users will experience the difference the moment they launch the new browser.

Tabbed Browsing

Tabbed browsing is the most-requested browser navigation feature among customers seeking to manage multiple Web sites within one browsing window. To create or open tabs in Internet Explorer 7, users can click on the empty tab on the Toolbar or right-click on any hyperlink in a Web page and choose Open in New Tab. They also can right-click on a tab to refresh each page as an individual tab or refresh all of them as a group, close individual tabs or the entire group, and reorder tabs on the tab bar by simply dragging and dropping.

Quick Tabs

Internet Explorer 7 helps manage multiple tabs with a feature called Quick Tabs. Quick Tabs enables users to view thumbnail images of all open tabs in one view. By simply clicking the Quick Tab icon just to the right of the Favorites icon, users can view all open tabs. From the Quick Tabs view, the user can open any tab by simply clicking anywhere on the tab image and can close any tab by clicking the “X” in the far right corner of the image. The Quick Tabs page will scale to the number of tabs the user has open. If a user has nine tabs open, Quick Tabs will preview thumbnail images of all nine tabs; if a user has more than 20 tabs open, they will see smaller thumbnail images of each tab but will still be able to see all tabs in single view.

Tab Groups

Managing multiple tabs can be cumbersome. Internet Explorer simplifies the organization of multiple tabs with Tab Groups. Tab Groups enable users to organize multiple tabs in the same category as a single Tab Group that can be saved as a Favorite. Tab Groups can be created for a variety of subjects or categories such as shopping, finance or news. For example, travel sites such as Orbitz, Travelocity and Expedia^® can all be saved as a travel Tab Group in Favorites. The Tab Group will appear as a folder in the Favorites menu. By clicking on the folder, the Tab Group will expand to show the unique sites organized within the folder. The user can open all the sites in the Tab Group with a single click on the arrow to the right of the folder. A Tab Group can contain an unlimited number of tabs or sites, and users can create an unlimited number of Tab Groups within Favorites.

Instant Search

The Instant Search box makes it quick and easy for users to search the Internet directly from the browser frame using their favorite search provider. Users can choose a search provider from the drop-down list and easily add more providers to the list.

When users upgrade to Internet Explorer 7, the Instant Search box will inherit the default setting the user had chosen for in Internet Explorer 6. To offer users the greatest choice, Internet Explorer expands the definition of search provider by including broad and vertical search providers as potential candidates in the Instant Search drop-down list. From the Instant Search drop-down menu the user can simply click on Find More Providers to be linked to the Windows Search Guide. This guide includes many broad and vertical search providers that can be added to the Instant Search box with a single click.

Printing Advances

As part of Microsoft’s efforts to simplify the common tasks that users perform every day, Internet Explorer will include enhanced functionality that makes it easier to print a Web page without content at the left or right margin being cut off, which is common.

By default, the Internet Explorer 7 will shrink a Web page’s text just enough to ensure that the entire page prints properly, so users will no longer need to cut and paste the page into a text-editing program. Users will also be able to adjust Web page margins, change the page layout, remove headers and footers, and increase or decrease the print space.

Page Zoom

To improve the user experience, Internet Explorer 7 has added a Page Zoom feature, which enables users to increase or decrease the page size for easier viewing. Not only can the user change the text size, but any graphics or embedded text in graphics can also be modified. Hard-to-read text or small thumbnail images on Web sites can now be enlarged.

100 Percent View

Zoomed View

RSS Feed Support

With new integrated support for RSS in Internet Explorer 7, users can easily discover, subscribe to and read RSS feeds directly in the browser. Users can have personalized sports, news or shopping feeds delivered directly to them.

Web publishers use RSS to create and distribute feeds that include links, headlines and summaries. With an RSS reader, a user can subscribe to many feeds and read new entries all in one place, without visiting individual Web sites.

In previous versions of Internet Explorer, RSS feeds were rendered in the browser in raw Extensible Markup Language (XML), which is unreadable by anyone but the most technical users. In Internet Explorer 7, users can read the feed directly in the browser, scan for important stories and get a description of the content. Users can also subscribe to a feed with a single click, a process that is very similar to adding a Web site Favorite.

Internet Explorer 7 also supports an RSS platform so all applications can share the same set of RSS subscriptions, enabling developers to focus on creating new end-user experiences rather than on the details of RSS functionality. More details on this functionality are provided in the Improved Platform and Manageability section of this overview.

Protect your HOSTS file which directs your browsing to internet servers and can be manipulated by evil doers: See HOSTS

Internet Explorer 7 release information http://www.microsoft.com/windows/ie/default.mspx  

IE 7: so much for Firefox http://www.cnet.com/4520-6033_1-5666404-1.html