Best Practices

Assuming you're going to run Internet Explorer 7 on a PC that can connect to the Internet, here are some best practices to follow:

• Configure Internet Explorer's security zone settings to be as secure as is practical in your environment.

• Change Allow Binary Behaviors to Prompt from Allow.

• Disable or prompt for unsigned .NET Framework Components.

• Disable or uninstall Java if it's not needed.

• If Java is needed, make sure only the latest version is installed (i.e., newer Java upgrades often leave the old version installed, too).

• Ensure Internet Explorer is fully patched at all times.

• Make sure Protected Mode is enabled.

• Ensure the Internet zone uses Medium-Low security, or Low.

• Enable the Phishing Filter.

• Disable unnecessary add-ons using Internet Explorer's security settings or user group policy.

• Disable or remove unneeded ActiveX controls.

• Don't allow users to add unauthorized Trusted Root Certification Authorities.

• Don't allow end users to save passwords for Web sites.

• Educate end users about browser threats.

• Tell end users to never use passwords (for example, to check e-mail) from public kiosk computers where a malicious keylogger could be installed.

• Remind users not to visit malicious Web sites.

• Enable DEP protection for 32-bit versions of Internet Explorer if Java or other incompatible applications are not used.

Disable HTML rending in e-mail (covered in Chapter 10).