The browser people can trust

Article
01/20/2012

Internet Explorer 9 is built with IT professionals in mind. Especially for the IT professional audience, we provide excellent protection for end users by default. We also support the latest standards for easier migration of line-of-business applications that are critical to your organization. Predictable browser updates that you can control further improve productivity.

Built-in security

Internet Explorer 9 provides features that help keep users and organizations safe from online threats.

SmartScreen Filter

In Internet Explorer 9, we’ve continued to heavily invest in the industry-leading SmartScreen® Filter and the backend reputation systems that power it. SmartScreen is a dynamic security intelligence and safety service designed to help protect Internet Explorer users from phishing attacks and malicious software.

SmartScreen investments in Internet Explorer 9 can be broken down into two major areas:

Application reputation—Provides information about a downloaded program based on file and publisher reputation. Internet Explorer 9 is the only major browser providing integrated download reputation to help users make better trust decisions.
Improvements to SmartScreen URL reputation—Since the release of Internet Explorer 8, SmartScreen has blocked over 1.2 billion malware and phishing attacks. We’ve continued to invest heavily in this area for Internet Explorer 9.

Introducing SmartScreen application reputation

SmartScreen Application Reputation is a groundbreaking browser feature that uses reputation data to remove unnecessary warnings for well-known files, and show more severe warnings when the download shows a higher risk of being malicious. Users today are conditioned to ignore the generic warnings that are shown for every download, such as: "This file type can harm your computer. Are you sure you want to run this file?" This same warning is displayed whether the file is an extremely common program or a piece of malware created minutes ago. Other browsers leave it up to the user to decide if a program is safe to download and run from the Internet. Internet Explorer 9 is the only browser that uses application reputation to help users make safety decisions.

Why is this approach important?

The primary reason for application reputation technology is that consumers remain unprotected between the time of the initial attack and the time it is detected and blocked. Blocking after detection is an important strategy, but for Internet Explorer 9 we wanted to turn the problem on its head. Application reputation is meant to close the gap between attack and detection by warning users when downloaded programs are uncommon and create higher risks.

What happens if a download doesn’t have a positive reputation?

A downloaded program is first checked against our application reputation service. For the vast majority of downloads the downloaded program will have a positive reputation and the program can be downloaded and run without browser warnings. However, in the rare case that a download does not have a positive reputation, the user is warned and must choose an option from the Actions button found on the notification bar or in the Download Manager. This warning gives the user additional information about the risk of their activity so they can choose to proceed or not. We have several versions of the warning UI that we’ll be testing through the beta period, one of which is shown below.

SmartScreen URL filtering improvements

The SmartScreen URL filter continues to be a key user safety asset of Internet Explorer 9. Since the launch of Internet Explorer 8, SmartScreen has blocked over 1.2 billion malware and phishing attacks and continues to block between 3 and 5 million attacks each day. We are committed to continuously improving our intelligence systems and processes so we can continue to provide industry leading protection from phishing and malware. We’ve also made improvements to the SmartScreen block experience in two core scenarios to help make sure users clearly understand the risks involved.

The new Download Manager blocks downloads from known malicious websites. When a malicious download URL is detected, a warning is shown in the new notification bar and in the Download Manager. At this point, you can continue the download—otherwise the download is cancelled and removed automatically.

The SmartScreen block experience has also been improved when helping to protect users from malicious content hosted on a benign page. This is most often caused by malicious advertising. For these scenarios, the SmartScreen block page has been updated to be clear when hosted content is malicious rather than the hosting website.

Tracking Protection

Tracking Protection helps your users stay in control of their privacy as they browse the web. Some of the content, images, ads, and analytics that your users see on the websites they visit are provided by outside or third-party websites. While this content can provide value to your organization and your favorite websites, these third-party websites have the ability to potentially track your behavior across multiple sites. Tracking Protection provides you an added level of control and choice about the information that third-party websites can potentially use to track your browsing activity.

Tracking Protection Lists help enhance your privacy and help protect you from online tracking by blocking web content that may be used to track you. To use this functionality, you simply have to add a Tracking Protection List from one of the Tracking Protection List providers. These Tracking Protection Lists contain domains which Internet Explorer will block as well as domains Internet Explorer will not block. As you browse to different sites, Internet Explorer helps ensure that personal information about you, such as your IP address or the site you are currently viewing, is not sent to the domains that are blocked based on the heuristics of the list. Once you’ve installed a Tracking Protection List, the settings apply to all the sites you browse to and are preserved each time you begin a new browsing session. Tracking Protection stays on until you decide to turn it off.

Protection against emerging threats

The cross-site scripting filter helps to keep users protected against emerging dangers on the web. As web technologies increase in complexity, so do the number of ways that malicious parties attempt to seize control of PCs and tamper with personal data. Internet Explorer 9 improves safety by including technology to help protect people from three of these types of security attacks.

Cross-site scripting (XSS) attacks. The cross-site scripting filter helps protect against these kinds of attacks, which have become a very popular attack method to try to steal data, deface webpages, or launch other types of attacks. XSS is a type of vulnerability in which one site attempts to use PCs to inject script code into another site that is being viewed. Internet Explorer 9 introduces improvements to our XSS filter that helps protect not only users but also sites from certain XSS attacks. For example, the XSS filter now includes an opt-in Block feature that will allow Internet Explorer to block pages that it believes contain an XSS attack.

Malicious website code. Internet Explorer 9 uses Data-Execution Prevention, also referred to as No-execute or collectively as DEP/NX, which helps prevent malicious website code from running on PCs. For example, DEP/NX makes it much more difficult for a site to download a program file disguised as a picture or video and then secretly run it on your PC.

Compromised security and privacy. Internet Explorer 9 recognizes that many of today’s websites need to combine (mash up) information from more than one source to offer innovative and useful experiences. However, mash-ups can compromise security and privacy. Web developers can make cross-domain requests (XDR) and send messages via cross-document messaging (XDM) in a way that better safeguards private data.

Reliability

Internet Explorer 9 provides technologies that keep users browsing, display webpages correctly, and make it easier for developers to use a single markup for multiple browsers.

Tab isolation, automatic crash recovery, and hang recovery

Building on the work we did in Internet Explorer 8, reliability features like tab isolation and automatic crash recovery keep you browsing. Website crashes are isolated to individual tabs, not entire browser windows. If a site crashes in one tab, the rest of the browsing session isn’t interrupted. You can keep browsing, undisturbed. After the problem is identified, Internet Explorer automatically recovers the tab. If one or more of the tabs close or crash unexpectedly, they are automatically reloaded, and you are returned to the sites you were on before the crash. Internet Explorer 9 also includes new support for hang recovery, which isolates the impact of a hung tab to the individual tab, so that other tabs and the overall browser are not impacted. Often it's a website that hangs—not your browser. While a tab is hung, you cannot interact with that tab. Hang recovery means you will be able to continue browsing on other tabs. This new feature complements tab isolation and automatic crash recovery.

We made the notification messages clearer in Internet Explorer 9 to help users better understand what to do when problems arise. For example, if a website causes the browser to stop responding, a message is shown in the Notification bar that says the website is not responding, rather than saying Internet Explorer is not responding. Users are able to better understand what the problem is, and what actions, if any, they need to take to address the issue.

Compatibility View

Some websites that are designed for older browsers may not display correctly in Internet Explorer 9, which by default renders content in the most standards-compliant way possible. You can feel good that your favorite websites will run in the newest version of Internet Explorer. Working with the top sites in the world, we test to see how they run on Internet Explorer 9.

When Internet Explorer detects a website that has not specified its desired display mode, the Compatibility View button appears next to the Refresh button on the Address Bar. Clicking the Compatibility View button causes Internet Explorer to switch to a legacy document mode. The state of the button is saved for that webpage, eliminating the need to click it again when you return to the same page later. You can choose to receive a list of sites best viewed in Compatibility View mode. When navigating to a site on the list, Internet Explorer 9 automatically displays the site in Compatibility View mode, without requiring you to click the Compatibility View button.

Compatibility View mode and the Compatibility View List were introduced with Internet Explorer 8. For Internet Explorer 9, we have made improvements that will make it much easier, especially for IT professionals, to work with the Compatibility View List. The list will be available for download as a single XML file.

Another aspect of compatibility is how Internet Explorer 9 handles the new graphics capabilities. If your PC does not have the hardware that is required to take advantage of the new graphic capabilities, Internet Explorer 9 automatically uses the Software Rendering option as the best way to display webpages. This is all handled automatically, without users needing to change any settings or options.

Support for modern standards

Internet Explorer 9 introduces support for many of the latest modern web development standards. Developers can count on a standards implementation that both supports responsible industry standards bodies and won’t change overnight. We know developers don’t want to rewrite and test their websites again and again—responsible standards adoption is a good way to enable developers to create sites and applications that use the same markup for all browsers. The following are some of the modern standards supported by Internet Explorer 9. More information about modern standards support is available in the Developer section of this Product Guide.

Cascading Style Sheets, Level 3 (CSS3)
- 2D Transforms
Document Object Model (DOM) Levels 2 and 3
- DOM events
HTML5
- Geolocation
Scalable Vector Graphics (SVG)

Through active participation in standards development in the CSS3 and SVG working groups, co-chairing the HTML5 working group, and leading the HTML5 Testing Task Force, we are actively working to bring modern web standards to the web. Standards consistency is a top priority for Microsoft, as we create and submit more test cases to the W3C than any other browser vendor. This helps to ensure that as browsers implement modern web standards and as developers write to them, they do so consistently. For enterprise customers this means fewer concerns over web application compatibility, when these web applications are written with modern web standards.

Deployment and control

IT professionals who manage desktop software for their organizations also have unique customization, deployment, management, and security needs. Internet Explorer 9 is the only browser that, out-of-the-box, provides many of the capabilities needed by IT professionals.

Internet Explorer Administration Kit

Internet Explorer 9 can be deployed in a standalone manner or as part of the operating system, and offers improved customization and management capabilities through the use of Group Policy and the Internet Explorer Administration Kit 9 (IEAK 9). The ability to slipstream security updates into the desktop image and new capabilities to manage user settings post-deployment can also help improve security and help protect corporate information.

With IEAK, Internet Explorer 9 can be installed as a standalone program through a custom Internet Explorer package (including a Windows installer file) and deployed through a distribution service, such as Active Directory®, Windows Server® Update Services (WSUS), and Microsoft® System Center Configuration Manager 2007. The IEAK provides you with all the tools and documentation you’ll need.

System administrators can choose to deploy:

The full Internet Explorer package (including Internet Explorer 9, customizations, and the Windows installer file)
A configuration-only package (including customizations and the Windows installer file)
A CD package (including CD auto-run, Internet Explorer 9, and customizations)

IT departments and original equipment manufacturers (OEMs) can customize their versions of Internet Explorer 9—including the home page, Favorites, search provider, Feeds, Accelerators, and Web Slices—by adding the InternetExplorer 9 customization setting to the Unattend.xml file that Windows uses for unattended setup.

IT departments can use the Internet Explorer Administration Kit (IEAK) to configure Internet Explorer 9 settings for deployments. There are three licensing modes for the IEAK: Independent Content Provider (ICP), Independent Service Provider (ISP), and Corporate, to ensure there is a version that aligns with an IT department’s specific customization needs.

IT professionals can use the IEAK to create custom, branded versions of Internet Explorer 9 that can be delivered as standalone packages or with other software or services, without having to install an operating system at the same time. You can update these custom versions without having to reinstall Internet Explorer 9.

Slipstream installation

Slipstreaming is the process of integrating Internet Explorer 9 into a Windows installation image. System administrators can now create a Windows image that includes Internet Explorer 9, so that PCs throughout the organization get a Windows installation that includes Internet Explorer 9 without any post-installation work required. Internet Explorer 9 uses the Microsoft Windows Vista®/Windows 7 Component Based Servicing (CBS) install method, meaning that Internet Explorer 9 slipstreaming is supported on both versions of Windows.

The Windows Automated Installation Kit (Windows AIK) has all the tools and documentation that are required for slipstream installation.

Robust Group Policy support

System administrators can use Group Policy to centrally change and manage computer and user settings for existing Internet Explorer 9 deployments. These are settings that users cannot change. Examples include the ability to disable the SmartScreen Filter, delete browsing history, change policies for security zones, add or delete sites in a security zone, or access the Security tab in the Internet Options dialog box.

New features in Internet Explorer 9, such as changes to add-on management, will be configurable using Group Policy. Internet Explorer 9 installs an ADMX/ADML file (an XML version of the ADM files from the previous operating system) as part of the full package, which allows system administrators to access the full range of Internet Explorer 9 policy settings and apply them within their organization through the use of Group Policy objects.

Internet Explorer 9 has a number of additional Group Policy enhancements to simplify deployment, configuration, and customization, such as:

Prevent deletion of download history
Disable add-on performance notifications
Enable alternate codecs in HTML5 media elements
Allow Internet Explorer 8 shutdown behavior
Install binaries signed by MD2 and MD4 signing technologies
Enable newly installed add-ons automatically
Turn off Managing SmartScreen filter
Prevent configuration of top result search from the address bar
Prevent deletion of ActiveX Filtering and Tracking Protection data
Go to an intranet site for a single word entry in the address bar
Show tabs below the address bar
Prevent users from bypassing the SmartScreen Filter's application reputation warnings about files that are not commonly downloaded from the Internet
Disable browser geolocation
Turn off ability to pin sites
Turn on ActiveX filtering
Configure Tracking Protection Lists
Tracking Protection Threshold
Turn off Tracking Protection

Predictable updates

Microsoft tries to provide a predictable update schedule to ensure that we are supporting released applications. However, because you often need to ensure that updates happen on your schedule, the Blocker toolkit allows you to postpone updates and install them at a time convenient for you and your user base. Many enterprise administrators will want to control how and when Internet Explorer 9 is deployed to their organization through Automatic Updates, to give them an opportunity to test their applications for compatibility. We provide a Blocker toolkit at each release of Internet Explorer. This toolkit allows IT administrators to control how Internet Explorer 9 is deployed in their organization.