The Beat Goes On For Internet Explorer

The browser is getting more secure, cleaner, and easier to use.

March 17, 2006

12 Min Read
Network Computing logo

Drum roll, please: Two new builds of Internet Explorer 7--Build 5296, the Beta 2 preview version for Windows XP Service Pack 2, and Build 5308, which is part of the February 2006 Windows Vista CTP--have made their debut. These builds of IE7 are safer than before, and the interface is better. But Microsoft hasn't yet advanced the state of the art in Internet browsing.

A New UI

Both versions sport a new user interface. The menu bar is below all other tools and options and is turned off by default in Build 5296, representing a savings in screen real estate. The most often-used options (such as those to do with the page and configurations) can be accessed from a set of drop-down menus appearing at the right end of the row of the browser's tabbed pages. At the left end of the row, you'll notice a few new icons that let you access the new favorites panel, feeds panel, and Quick Tabs.

Quick Tabs lets you see thumbnail snapshots of the pages on all opened tabs. Click to enlarge in another window

Either click on the Quick Tabs icon or press Ctrl-Q to bring up a special page with thumbnail snapshots of the pages on all opened tabs. The visuals here update if the page content changes (say, if you're on your Gmail page and some new e-mails appear). You can click on a thumbnail to go directly to that tab. Hovering on a particular thumbnail also reveals the URL it's displaying, which is useful if you have similar-looking pages with different URLs. While we found this useful for the most part, a current behavior of Quick Tabs is that if you click anywhere outside the Quick Tabs area itself, the display reverts to the last active tab. We're hoping that in future versions, Quick Tabs will let power users keep the thumbnails on for monitoring multiple pages simultaneously while they continue working elsewhere.Users have been able to organize their favorite bookmarks into folders for years. Now with the ability to have tabbed windows, you might naturally want to group the URLs for one set of tabs in a single folder. IE7 lets you do this with a folder name of your choice. Later, you can launch this entire set of pages with a single click. However, you can’t manage and organize the favorites list with this panel yet; you still need to go to the Organize Favorites menu option for that.

The new ActiveX opt-in feature prompts users to explicitly allow ActiveX controls to be installed and run. Click to enlarge in another window

You can right-click feeds you've subscribed to in order to set up synchronization policies for each. IE7 also stores historical records of downloaded feed content, and you can select how much of this you wish to retain. When you set up background RSS feed downloads, IE7 actually creates a Scheduled Task item to download the content. Later, when you click on the feed in the feeds panel, the content is ready to be displayed. All this works once you enable Automatic Synchronization from the Internet Options dialog. To read a feed, all you need to do is click on it, and its content will appear on a new tabbed page. The February 2006 CTP release of Windows Vista also has the Sidebar, which lets users keep launchers for often-used programs and even for running applets (like the Clock and Calendar) for easy access. The RSS feeds you subscribe to in IE7 are automatically taken up and displayed by the RSS Feeds Sidebar Gadget, Microsoft's name for Sidebar plug-ins.

RSS feeds let you schedule updates and maintain a history of downloaded items. Click to enlarge in another window

Enhancements to security phishing (for money, not trout or salmon) is on everyone's minds. IE7 includes a built-in anti-phishing filter that checks Web sites you visit and warns you if there's something suspicious. This works in two ways: The URL you're on is first compared against a central list (on the Internet) of known phishing sites. If the URL doesn't exist there, the page itself is scanned for particular characteristics, such as IP addresses in URLs and forms being submitted to locations other than where the rest of the page came from. This technique is based on black lists and on feedback from users who report bad sites they come across. To control this behavior, you get an icon in the status bar of the IE window to toggle checking, as well as to report a site as suspicious.We used testing tools from IT security services provider Secunia to test both builds against IDN spoofing, URL spoofing, and frame injection vulnerabilities and found that they passed the first two, but failed the frame injection test. In IDN spoofing, a Web site uses international character codes in the URL to make it appear deceptively similar to another URL (for phishing). In URL spoofing, the entire URL is misrepresented, usually involving client-side scripting to replace the address in the address bar with a fake address. An IDN spoofing attack is easily defeated if your browser is set to the US English (En-US) locale, but the attack might be successful if you're using a non-English locale.

To protect users against URL spoofing, IE7 includes two features: First, it requires that all windows have the address bar present. This makes it impossible for a malicious Web site to open a window without an address bar and surreptitiously collect information pretending to be some other site. Second, IE7 doesn't allow scripts to replace URLs in the address bar.

Vista's IE7 also has a Protected Mode. This ties into Vista's User Account Protection (UAP) technology. What it does is prevent normal (non-administrator) users of the system from installing ActiveX controls into their browsers. (Less ActiveX means less chance of things like spyware and browser hijacking--nice touch!) Users can, however, bypass this manually using Vista's Run Elevated option if they want, and there are no prompts to reset back to normal mode for that instance of the browser.

Curiosity Satisfied

Curious to know what kinds of add-ons are being used by your browser? Launch the Add On Manager from the Tools menu to find out. And if you really want to get a heart attack, select "Add Ons that can run without requiring permission" from the drop-down (yikes!). Does this mean malicious developers can write an add-on that "does not require permission" and have it do bad things? There's no reason to be worried here with the ActiveX Opt In feature in IE7. The add-on modules that didn't come with the OS or browser itself are disabled by default. This includes even the Windows Media Player control, as we found out. When you visit a Web page that requires a particular add-on, the browser will automatically prompt you (via the Information Bar as well as a status bar icon), and you can choose if you want to turn it on or leave it off. This behavior includes add-ons that were already installed. The items listed under the "without requiring permission" screen are simply those that didn't require IE to prompt you before they were loaded. If you wish to browse without add-ons being loaded, you can right-click the icon on the desktop and select "Run without Add Ons."Builds 5296 and 5308 also include a "Find more Add Ons" menu item that takes you to the Web site to search for and download modules you require.

Nice Little Touches

Can co-users of the same system find out which sites you've been to? The answer is now a "No." You can delete all your browsing history with about three clicks. Simply access the Tools menu and then the "Delete Browsing History" option to click on the "Delete All" button there. And this actually works right away, without even having to restart the browser or system. With IE6, our experience has been that URL vestiges remain, and sometimes while you're typing a URL (supposedly history-cleared before), the browser will still remember it. Now it's really all gone. You can delete cookies, temporary Internet files, forms data, and passwords the same way. This doesn't affect the ability to remotely monitor or generate reports of browser activity on an enterprise network.

Several new small yet useful features have found their way into the latest IE beta builds. One of them is Page Zoom. Traditional "zooming" on a Web page magnifies only text and not the image and other content on the page. IE7 includes a separate feature that magnifies the entire Web page. If you use a scroll mouse, you can hold down Ctrl while using the mouse wheel to zoom in or out. There's a new icon in the latest IE7 betas on the status bar that lets you quickly see, as well as change, the level of zoom.

Print preview is improved, too. Now you can resize the page, adjust margins, and toggle header/footer printing from this window. Do note that print previewing some Web pages here can take a little bit of wait time while the engine renders the content on screen.IE7 now joins the bandwagon of browsers that already feature a separate search box on the window, allowing you to add any number of search providers to the list. Webmasters can also get IE to add their Web site or service to this list by calling a client-side JavaScript function, which will cause a prompt to the user asking if they wish to install the new provider. The official list of available search providers on Microsoft's Web site includes Google, Yahoo,, Amazon, eBay, and more.

ClearType, now enabled by default in IE7, improves readability on Web pages, especially for users who spend a lot of time browsing or staring at pages with varying font sizes that may not always be conducive to easy reading. Users will recall that ClearType has long been a part of Win XP, but never turned on by default. In a post defending the decision to turn it on, ClearType inventor Bill Hill says, "The decision to turn ClearType on by default in IE is unusual, but was made because solid research over the past few years has shown conclusively that it improves reading--the task at which IE users spend most of their time." He further goes on to say ClearType will be turned on by default in Vista as well.

Options, Options, Options!

Yeah, there are tons of them this time. And mostly you're not going to remember which is where the first couple of times around. Where shall we start? The homepage can have multiple defaults, each one opening in a new tab. So the one-line box from yore now lets you enter any number of URLs (one on each line). When you launch a new browser instance, all of them will open in different tabs. Options for the anti-phishing filter, history eraser, and so on are currently scattered through the tabs, hopefully for cleanup later on. Some options, like the Content Advisor, Certificates, and Auto Complete, haven't changed at all. Parental control is now beyond setting a password and, like the Protected Mode, ties into the UAP in Vista in Build 5308. And remember, you can't set parental controls for an administrator, so don't let your kid be your PC's administrator!

More options have been added to the advanced and zone-wise security tabs this time. While some of these options are easy to understand, others need to be worked on. For instance, the option for Protected Mode in the zone-wise security tab nowhere says what it would do if turned on. Also, some of the options have text next to them either recommending that you set that option or that you don't, but it's not always clear why. Options that require the browser to be restarted are marked clearly with an asterisk and footnote.Large Scale Deployments And Beyond

For enterprise deployment, administrators can use the Internet Explorer Administrator's Kit (IEAK) for IE7 to customize all settings for the browser, then create deployment copies on CD or host them on a server. The kit also allows administrators to reconfigure an existing installation of IE7 without needing to reinstall anything. This kit is quite similar to the earlier versions of IEAK, but adds support for the new IE features and lock-down settings.

From the Microsoft Web site, developers can download the IE Developer Toolbar, which appears as a panel on the browser window (per tab). When browsing, the panel displays the DOM contents from the active Web page and lets the developer test changes directly by making the page WYSIWYG editable. While this tool lets users play with any Web page, changes made won't affect live pages because that would require FTP access to the site to update the file for everyone else.

The world has waited with bated breath wondering if IE7 would muster CSS 2 support and pass the Acid2 test. The answer is, it won't. The features that make Acid2 work properly are on the wish list for IE7, but they aren't priority items because Acid2 isn't by design a compliance test, but merely a check for supported features. The new browser has added support for CSS 2.1 Selectors, transparent alpha channel PNG images, and so forth. So it's a mixed bag for folks expecting full compliance with CSS standards.

Bottom LineThere are other things we'd like to see as well. A better download manager would be nice. IE7 still has the old download progress window with no features to resume broken downloads or get them faster. And guess what? When you have the pop-up blocker turned on, you can't even download mail attachments unless you use the Ctrl key to over-ride it. Nor is there a tab session manager to save and restore your tabs when you close the browser window.

The builds of IE7 are getting slowly closer to a safer browser because of the new security features. But in terms of a new browsing experience, it's still not all there yet.

Sujay V. Sarma is a senior technology analyst with PCQuest, the largest circulated IT user magazine in India, and with Cybermedia Labs, its affiliated vendor-independent testing and reviewing facility.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights