Internet Explorer 7 Updated Advice for the NHS 04 February 2008 Version 1.3

Agenda Summary Advice for the NHS IE7 Update February 2008 – WSUS IE7 And Windows XP Service Pack 3 IE7 Upgrade Process Options IE7 Security Features

Summary Advice for the NHS If you use Windows Server Update Services (WSUS) Follow the advice below. Then follow the advice on the next page (IE7 Update February 2008). If you use NPfIT applications provided by an LSP or NASP Don’t install IE7 yet Install the Blocker to prevent Windows Update (WU) automatically upgrading systems to IE7 Follow the advice to prevent automatic update if you are using Windows Server Update Services (WSUS) Test all your own critical applications with the latest version of IE7 available Wait until your LSP confirms that all NCRS/NPfIT applications you use are compatible If you don’t yet use NPfIT applications provided by an LSP or NASP Don’t install IE7 yet Install the Blocker to prevent WU automatically upgrading systems to IE7 Follow the advice to prevent automatic update if you are using Windows Server Update Services (WSUS) Test all critical applications with the latest version of IE7 available

IE7 Update February 2008

WSUS IE7 Update Windows Server Update Services (WSUS) Windows Internet Explorer 7 will be distributed via Windows Server Update Services (WSUS) from 12 February 2008 and may require administrator action to prevent the rollout. If you have auto-approve enabled within WSUS, then IE 7 will be distributed to your desktops without further approval. The blocker toolkit referred to in this document does not block IE7 from being installed through WSUS. To prevent the installation of IE7 using WSUS, you need to ensure that you have not enabled the automatic approval of Update Rollups before 12th February. It is Best Practice not to enable automatic approval of updates. Please review this knowledge article for further information: KB at The original advice for blocking Windows Update is included in this document.

IE7 And Windows XP Service Pack 3

IE7 And Windows XP SP3 Windows XP Service Pack 3 Windows XP Service Pack 3 will be released during 1H/2008. Microsoft have confirmed the following details on IE7 and Windows XP SP 3: Service Pack 3 will not force the installation of IE7. If IE6 is installed, then Service Pack 3 will update IE6 but will not force an upgrade to IE7. If IE7 is installed, then Service Pack 3 will update IE7. Windows XP SP3 includes updates to both IE6 and IE7, and will update whichever version is installed on the computer.

IE7 Upgrade Process Options

Upgrade to IE7? New Features Tabbed browser RSS Page zoom More Manageable Group Policy settings Enhanced Security Only available on Windows XP SP2 Windows Server 2003 SP1 IE7 Beta known to break some NCRS applications Plus Minus

Other Windows Versions All versions of Windows prior to XP SP2 should continue to run IE6

IE7 Automatic Upgrade Microsoft treating IE7 as a “Hot Fix” to IE6 When released IE7 will be a High Priority Update on Windows Update (WU) It will be automatically installed on clients using Windows Server Update Services (WSUS) if auto-approve is enabled Some NCRS/NPfIT applications are known not to work with IE7 How do we prevent the automatic install of IE7?

Preventing the Upgrade If using WSUS, SUS or SMS to deploy updates Do not auto approve the IE7 update Refer to the section above “IE7 Update February 2008” If manually using Windows Update (from Start menu) Tools available to prevent the IE7 update being applied Download from Microsoft Web site as a toolkit from Where users have Local Administrator rights Either remove those rights (unlikely) or provide advice & guidance

Disabling Delivery of IE7 Will prevent machines receiving IE7 as a high-priority update via Automatic Updates and the “Express” install option on the Windows Update and Microsoft Update sites. The Blocker Toolkit will not expire Will NOT prevent manual installations of IE7 as a Recommended Update from the Windows Update or Microsoft Update sites, from the Microsoft Download Center (sic), or from external media. Erroneous IE7 installations can be uninstalled using Add/Remove Programs Will NOT prevent update of IE7 through WSUS. See the “IE7 Update February 2008” slide above.

How the Toolkit works Blocker script sets a registry setting on a computer Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup\7.0 Key value name: DoNotAllowIE70 Value set to 1 to block install Script run as IE70Blocker.cmd [ ] [/B] [/U] [/H] Group Policy template ADM file also supplied

New Features of IE 7

IE7 Security Features Protect the machine Protect the user against misleading downloads and websites

Protect the Machine Unified URL parsing URLs passed as strings may be parsed inconsistently through the stack Special characters complicate URL parsing Cross-domain security enhancements Limit scripts on web pages from interacting with content from other domains or windows Code quality improvements to reduce buffer overruns

Protect the Machine ActiveX Opt-in IE6 blocked signed ActiveX controls with the Information bar, but pre-installed controls would run silently IE7 blocks pre-installed ActiveX controls with the Information bar on first run (or via Add-on Manager) Protected Mode (Microsoft Windows Vista only) IE7 runs in isolation from other applications Cannot write beyond Temporary Internet Files without user consent

Protect the User Download scanning with Windows Defender Phishing Filter High-assurance SSL and address bar Address bar shown in all windows Colour of address bar indicates potential threat

Protect the User Dangerous settings notification "Fix My Settings" feature – warns when your Internet settings may be unsafe and resets them Secure defaults for IDN (International Domain Names) Warns when visually similar characters in URL are not in same language Parental controls (Windows Vista only) Can restrict access Logs sites browsed

px Toolkit to block upgrade to IE7 via Windows Update How to block upgrade with WSUS Resources & further information