We used testing tools from IT security services provider Secunia to test both builds against IDN spoofing, URL spoofing, and frame injection vulnerabilities and found that they passed the first two, but failed the frame injection test. In IDN spoofing, a Web site uses international character codes in the URL to make it appear deceptively similar to another URL (for phishing). In URL spoofing, the entire URL is misrepresented, usually involving client-side scripting to replace the address in the address bar with a fake address. An IDN spoofing attack is easily defeated if your browser is set to the US English (En-US) locale, but the attack might be successful if you're using a non-English locale.
To protect users against URL spoofing, IE7 includes two features: First, it requires that all windows have the address bar present. This makes it impossible for a malicious Web site to open a window without an address bar and surreptitiously collect information pretending to be some other site. Second, IE7 doesn't allow scripts to replace URLs in the address bar.
Vista's IE7 also has a Protected Mode. This ties into Vista's User Account Protection (UAP) technology. What it does is prevent normal (non-administrator) users of the system from installing ActiveX controls into their browsers. (Less ActiveX means less chance of things like spyware and browser hijacking--nice touch!) Users can, however, bypass this manually using Vista's Run Elevated option if they want, and there are no prompts to reset back to normal mode for that instance of the browser.
Curious to know what kinds of add-ons are being used by your browser? Launch the Add On Manager from the Tools menu to find out. And if you really want to get a heart attack, select "Add Ons that can run without requiring permission" from the drop-down (yikes!). Does this mean malicious developers can write an add-on that "does not require permission" and have it do bad things? There's no reason to be worried here with the ActiveX Opt In feature in IE7. The add-on modules that didn't come with the OS or browser itself are disabled by default. This includes even the Windows Media Player control, as we found out. When you visit a Web page that requires a particular add-on, the browser will automatically prompt you (via the Information Bar as well as a status bar icon), and you can choose if you want to turn it on or leave it off. This behavior includes add-ons that were already installed. The items listed under the "without requiring permission" screen are simply those that didn't require IE to prompt you before they were loaded. If you wish to browse without add-ons being loaded, you can right-click the icon on the desktop and select "Run without Add Ons."