Linked by Thom Holwerda on Wed 1st Nov 2006 14:55 UTC, submitted by bouh
Internet & Networking "How do the latest versions of each browser compare? For this prizefight, we looked at Microsoft Internet Explorer 7, Microsoft's first new Internet browser since 2001 and Mozilla Firefox 2, Mozilla's update of its popular Firefox 1.5 browser released in November 2005." This will be the last Firefox 2 vs. IE7 article. I promise.
Thread beginning with comment 177738
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[4]: Group Policies
by Ventajou on Thu 2nd Nov 2006 00:10 UTC in reply to "RE[3]: Group Policies"
Ventajou
Member since:
2006-10-31

In a managed environment, you can set group policies to prevent the user from changing the proxy settings in IE. Also you can prevent them from installing software other than what you provide them with (through SMS or ZenWorks for example).

But if you deploy FireFox, then you have no convenient way, to my best knowledge, of preventing the users from playing with the proxy settings. I agree that most people wouldn't do that, but like I said, a number of our users are high schoolers with a high addiction to sites like myspace.com (they would use Google cache to go to myspace.com)

Reply Parent Score: 1

RE[5]: Group Policies
by Shkaba on Thu 2nd Nov 2006 00:29 in reply to "RE[4]: Group Policies"
Shkaba Member since:
2006-06-22

I think you are looking at this issue from the wrong perspective. One does not need to "deploy firefox" to introduce a vulnerability in an environment. If somebody is willing enough, and knowledgable enough he can run an executable from a memory stick, pda, cell phone etc, without ever installing anything on a workstation and it does not have to ba a browser. No group policy replaces proper administration of a network and proper setup of the proxy/firewall/router. You just get an illusion of a tightly managed environment. Group policies are usefull for internal administration, to a certain degree. For security issues that involve external communications you should not rely on gp alone, because they are not designed for that purpose.

Edited 2006-11-02 00:30

Reply Parent Score: 1

RE[6]: Group Policies
by hal2k1 on Thu 2nd Nov 2006 00:45 in reply to "RE[5]: Group Policies"
hal2k1 Member since:
2005-11-11

//If somebody is willing enough, and knowledgable enough he can run an executable from a memory stick, pda, cell phone etc, without ever installing anything on a workstation and it does not have to ba a browser.//

This limitation is, of course, only a Windows limitation.

http://portableapps.com/

Windows will happily run any executable from anywhere, even one which has not been installed on the system or "sanctioned" by the system admin. This doesn't take hardly any knowledge at all, just a visit to the website above is enough.

http://portableapps.com/about/what_is_a_portable_app
"A portable app is a computer program that you can carry around with you on a portable device and use on any Windows computer. When your USB flash drive, portable hard drive, iPod or other portable device is plugged in, you have access to your software and personal data just as you would on your own PC. And when you unplug the device, none of your personal data is left behind."

If one has physical access to a Windows machine, and one can read removeable media on that machine, then one can run whatever sowftware one pleases, regardless of what the Windows administrator has tried to restrict.

In contrast, most non-Windows architectures will allow administrators to make a provision so that executables may not be run from removeable media.

Edited 2006-11-02 00:51

Reply Parent Score: 1

RE[5]: Group Policies
by hal2k1 on Thu 2nd Nov 2006 01:03 in reply to "RE[4]: Group Policies"
hal2k1 Member since:
2005-11-11

//In a managed environment, you can set group policies to prevent the user from changing the proxy settings in IE. Also you can prevent them from installing software other than what you provide them with (through SMS or ZenWorks for example). //

You can prevent users from installing software on a windows system, but you cannot prevent users from running software on a Windows system unless you make it so that the system cannot read removeable media.

I think what you intended to do with your "group policies" is stop your users from running some applications. Sorry, but you can't do that on a Windows system. Windows doesn't have that capability.

Reply Parent Score: 1

RE[6]: Group Policies
by Ventajou on Thu 2nd Nov 2006 01:03 in reply to "RE[4]: Group Policies"
Ventajou Member since:
2006-10-31

I agree with you.

My point though was that adding GP support to FF would help speed its adoption in larger organisations where administrators want to be able to easily manage settings on hundreds of systems.

The example I provided was just that, an example.

I definitely do not consider GP as the main tool to keep an environment secure. But it can help prevent users from, whether intentionally or not, messing up a system. There will always be a way to go around security measures, but it's not a reason to make it easier.

In addition, you sometimes have to face financial and/or political reasons as to why you can't simply have a better firewall. Or it could be that the guy in charge of it is just a moron and doesn't get what you're trying to explain. And so you have to do what you can at your level.

Reply Parent Score: 1

RE[7]: Group Policies
by hal2k1 on Thu 2nd Nov 2006 01:17 in reply to "RE[6]: Group Policies"
hal2k1 Member since:
2005-11-11

//I definitely do not consider GP as the main tool to keep an environment secure. But it can help prevent users from, whether intentionally or not, messing up a system. There will always be a way to go around security measures, but it's not a reason to make it easier.

In addition, you sometimes have to face financial and/or political reasons as to why you can't simply have a better firewall. Or it could be that the guy in charge of it is just a moron and doesn't get what you're trying to explain. And so you have to do what you can at your level.//

The point is that "group policies" are useless for the purpose to which you are trying to put them. On Windows systems, people are able to run whatever they want to.

The only way to do what you are trying to do is to have a better firewall. Make it so that the ONLY way any machine on your network can get connected to the Internet is through your firewall. Once you have done that, then setting proxies on client machines won't do anything.

Your reason for preferring IE over Firefox is not a valid reason at all.

Reply Parent Score: 1