I know that the IE infection is hard to kick. The most common argument I hear, many sites just don’t work with anything but Internet Explorer.
Is this a true issue, or merely an excuse for inaction? I know a few organizations that have installed alternative browsers (OK, Firefox, in all cases), and blocked all external access to IE users. They then take the help desk calls, check the sites that the users say won’t work with anything but IE, make sure they meet a business need, and then one by one add them into the proxy to be allowed out with IE.
Sure, this is a lot of work on the front end. Here’s the rub, though. 30 days out, the work drops like a hot stone in the hands of a yeti. Basically, the ongoing need to add sites become so infrequent as to be non-existant and handled with a one-off approval process. In terms of risk, the few who have taken this approach claim such a huge reduction in spyware cleanup, infections and basic break/fix calls that they say the longer term savings paid for the work of the 30 day period in less than 3 months. Thats a 90 day, 100% ROI for a 120 day project!!!! In business terms, this is a NO BRAINER.
Given the oddity of Aurora, the history of IE vulnerabilities and the ease at which new users of Firefox, Opera, Chrome, Safari, et all become proficient, the deck begins to stack in favor of replacing IE for Internet-bound traffic in all but a limited set of cases. Sure, use IE for that odd website, for those internal legacy apps where code-rewrite is not feasible. Heck, in this case, maybe even allow IE 6 to live on for internal use only (pray for no internal malware or xss attacks). We all know the real attack surface for IE is overwhelmingly the Internet.
Maybe this approach will work for you. Consider it. It works even better when combined with proper egress filtering, enclaving and role-based access controls.
Let me know what you think!