Assuming you're going to run Internet Explorer 7 on a PC that can connect to the Internet, here are some best practices to follow:
Configure Internet Explorer's security zone settings to be as secure as is practical in your environment.
Change Allow Binary Behaviors to Prompt from Allow.
Disable or prompt for unsigned .NET Framework Components.
Disable or uninstall Java if it's not needed.
If Java is needed, make sure only the latest version is installed (i.e., newer Java upgrades often leave the old version installed, too).
Ensure Internet Explorer is fully patched at all times.
Make sure Protected Mode is enabled.
Ensure the Internet zone uses Medium-Low security, or Low.
Enable the Phishing Filter.
Disable unnecessary add-ons using Internet Explorer's security settings or user group policy.
Disable or remove unneeded ActiveX controls.
Don't allow users to add unauthorized Trusted Root Certification Authorities.
Don't allow end users to save passwords for Web sites.
Educate end users about browser threats.
Tell end users to never use passwords (for example, to check e-mail) from public kiosk computers where a malicious keylogger could be installed.
Remind users not to visit malicious Web sites.
Enable DEP protection for 32-bit versions of Internet Explorer if Java or other incompatible applications are not used.
Disable HTML rending in e-mail (covered in Chapter 10).