Questions[internet-explorer](server)

I want to secure our centrally managed computers better and it is very difficult to automatically deploy the java runtime, but how to do that is another question.

I find the security of Java catastrophic, even if it is fully patched: It looks like if the user says yes to the innocent question "Do you trust this certificate", java can do whatever it wants. Java webstart also seems to be an universal entry point for malware authors.

In general, I don't care for my users playing browser games, etc. Java applets seem to be extinct anyway.

But there is one page left (Ingramm Micro shopping system) which relies on Java.

Does anybody know an easy way to configure IE or java via group policy to only ever allow java plugins on certain preconfigured sites?

Thanks!

We have an Apache Subversion server that we store (amongst other things) all of our documentation on. We have a lot of Word, Excel, PDF etc. documents in svn, and all of our users use TortoiseSVN as their client interface. A lot of those users will also browse the repo through a web browser, which (unfortunately) is often Internet Explorer.

Recently we started trialling Office 2010 (coming from 2003) and found that documents from the repo are opened differently when browsing with IE. Rather than IE downloading the file and then sending it to the appropriate app (after which it should just be a temporary copy stored locally), it sends the URL for the document to the app. The doc is downloaded by the app and then treated it as if it came from a Sharepoint server, i.e. the app tries to lock it and then upload any saved changes back to the server automatically.

From Googling, it appears that many people want this behaviour. However, we want to disable it - it doesn't fit with our existing processes. How can I go about doing this?

I don't have a lot of control over client machines, so solutions that involve disabling all Office document collaboration features like this for each client are not what I'm looking for. Besides, I couldn't find much that I could do other than disable the Office Document Cache Handler add-on in IE. The only client-side options that may be feasible are those that specifically disable this feature for our named server but leave it on for others.

So that leaves server-side solutions. I'm guessing that Office sees that the svn server has WebDAV support and therefore moves into a Sharepoint-like document management workflow. Is there any way to stop this kind of integration without disabling all WebDAV support on the server (assuming we could even do that)? We actually use svn's autoversioning a bit for other purposes so it's a required feature. I've found discussion of disabling the feature if it's actually a Sharepoint server, but it's not! My understanding of how this kind of thing works (i.e. Office client identifying WebDAV support on the server) is pretty limited, so please explain further if you can.

In case it matters, the server setup is:

Apache v2.2.8 and Subversion v1.4.6 on Ubuntu Hardy 8.04.

I'd love to have the peace of mind of knowing that none of my desktops have toolbars, "browser helpers" or any other crap like that running.

Has anybody done this successfully with Group Policy?

I found this article, but it's not all that clear:

http://support.microsoft.com/kb/883256

If I want to ban all plugins but the Google Toolbar, Flash & Windows Update on XP, there isn't a clear explanation on how to do it. It seems that I would have to know the ClassID of every toolbar I would like to allow.

The article doesn't really go into how an admin would find these ClassIDs. Does Flash have a different ClassID for each version? Does it vary by OS? What about Windows Update on XP boxes - it requires a plugin that would need to be expressly enabled.

It's such a common problem that there should be an easy solution. It would be great if there was just a checkbox list of common plugins, so you could enable Flash for everyone, Google Toolbar for devs, Windows Update for XP, etc.

I never use Internet Explorer on my Windows Servers. Is there any reason I should upgrade Internet Explorer (version 6 or 7 to 7 or 8)?

We've already rolled out Windows XP SP2 (no hope of going to Vista or Windows 7 in the foreseeable future unfortunately) across the enterprise and our latest internal roll-out actually incorporates SP3 as well - but unfortunately IE is explicitly being kept at version 6.

Regardless of the numerous security warnings our there and lack of applicability in the greater world wide web, my manager still sees intranet apps written for IE6 as the main reason to stay on it. What can we do to swing the vote in our favour? We're tired of supporting an ailing browser when users call us up constantly complaining that website don't look right, and more and more people asking for browser tabs "because that's what they've got at home".

Any arguments we can put forward would be great!