THE OFFICIAL BLOG OF THE SBS "DIVA"

I've told you previously what you can do with that 2x4 :)

Bottom line: IE should not be used, anywhere by anyone. The same is not the case with Firefox, even with Administrative priviledges.

-Vlad

I would make the argument that there are occasionally needs when one must surf from a server.  Mainly to download an update, but occasionally when you are searching for a solution an application error.  In most cases, a good administrator will have everything ready, but sometimes you need that browser.  Thus, I disagree with your statement.  There is a need, but let's face the facts that most folks who access a server console are not your run of the mill user browsing all the various nefarious sites.  

Unfortunately, there is a need for IE.  To be honest, no website should foist upon you a browser choice, but there are business applications that do that.  Nonetheless, I think it is the responsibility of the vendor to make sure their web-bassed application is browser-agnostic.  What, if, pray tell, I have Linux users accessing an application?  

Do not buy applications that require IE. Simple as that. If you can scream about Quickbooks and asking people not to ignore them then you should at least be reasonable enough to tell people NOT to buy applications designed on technology that has a proven track of ridiculous security shortcomings and change management holes. "Sorry, we got sued so instead of paying up we'll just make this inconvenient for everyone else"

As for locking it down - Your network should be locked down and secured at the firewall, server, NAP/NAC, etc.... not on the workstation where it can get owned at any moment. If we all expect our computers to be as secure as possible while the network is wide open we'll either have to make the compromise of letting go of flexibility and features (ie, buy a Mac) or demand better written apps.

Microsoft is clearly not listening, their response is "we can't do much about writing secure software" - that whole secure by design is gone. Now its more about secure by patching and limiting access/functionality (I guess thats "secure by deployment" piece they promised us in 2001 coming with Vista in the way of UAC). And if they are not listening, we should not be using IE or committing to technologies that require IE to operate.

But given all of that, let the bygones be bygones. Where we are at now I believe Mozilla/Firefox is the way to go and Microsoft will have to go a long way to prove otherwise, at least for me.

-Vlad

I'm a developer, I cannot work in the restricted mode. All OEM boxes, workstations, laptops, etc ship with the user in Administrator mode - by default. Works for me, works for the rest of the world.

I run Firefox as admin, on Vista, with UAC turned off. 0 problems.

I run Firefox on my main XP workstation, as administrator. 0 problems.

I have run Firefox as an administrator on nearly every laptop I have owned for as long as Firefox has had a stable release and I have never had a problem.

Firefox
- patches itself without an issue
- patches clearly document the problems
- does not nag to apply the patch, it just does it
- does not require a reboot
- does not nag to reboot the computer or even worse automatically reboot if I am away from my desktop for more than 15 minutes
- remembers my sessions and tabs when it restarts
- properly warns me of dangerous content
- remembers file associations correctly
- has a far more sophisticated integration with search and blocks popups

Feel free to continue to rant. In the meantime, Firefox is a far more sensible choice and I am afraid to take a fully patched IE anywhere BUT Microsoft.com and our intranet. Based on the IE track record I believe, despite all the patches, that far too many holes in it still exist and do not TRUST it to be used on the Internet.

Your response just does not fly with me.  As a former large enterprise admin, you sometimes don't have the luxury of RDP/TermSrv/VNCing to a box to do as you say.  In most cases, in my previous position, we did as much work as we could remotely.  We are not needlessly surfing the web from these servers looking at *** or other questionable sites; we are merely using that to download a driver.  Sure, we tried to stage these updates, but sometimes a driver was missed for one reason or another.  Additionally, access via a toted laptop was not a particularly easy task, either.  

We had a management station setup expressly for this purpose.  Again, it was a server class machine--running Win2k, if memory serves--but it was our TS gateway if we needed it while addressing an outage remotely.  This was used for us to manage non-Windows machines or others that were not accessible via a DRAC card.  We even had Firefox installed on this server, too.  In this case, we agree to disagree.  

To be a further curmudgeon, I have to agree a lot with what Vlad said.  

As for the VMware suggestion, I find that hardly a viable solution.  You could setup a Citrix/TS box for this purpose, too.  Then, of course you add a potentially untenable solution based on cost--appropriately beefy machine, licensure, etc.  Code your sites clean such that they do not have dependencies on browsers.  It's that simple.  In this day and age, no one should be baking in those dependencies.  That's just a sure sign of poor coding.