IE7 Separated from Windows Explorer

An anonymous reader writes "Security experts warned Microsoft 10 years ago that putting IE as a component of Windows Explorer was a bad idea, looks like Microsoft finally decided to listen to the advice. According to a short write up in Business Week, Microsoft has decided that when IE7 comes out with Vista it will no longer be a component of Windows Explorer and will be able to replace IE6 even on XP machines."

Replace IE6 on XP machines?

Surely they mean outwordly replace IE 6 like Firefox etc do, whilst keeping IE 6 tied into the XP system?

I wonder what would happen if you decided to remove IE 7 after installing it. Or will they "upgrade" it like they do with DirectX and Media Player (ie one way upgrades only, essentially no rolling back).

They are talking about Click to activate ActiveX controls as being a security benefit thats been added for the user - I thought it was because of losing the patent dispute?

ps, the guy talking sounds like Farnsworth, its worth listening just for that!

Re:Replace IE6 on XP machines?

They are talking about Click to activate ActiveX controls as being a security benefit thats been added for the user - I thought it was because of losing the patent dispute?

Companies do this stupid stuff all the time. It's called "Spin".

Banks were marketting the instant scan of checks to customers as a security feature. "See your checks online right away, to be able to spot fraud easier!" In truth? With the instant scans of the checks, "check float" has been removed, and a big issue that banks had with some illegal behavior that most people thought were ok, is gone.

Heck, sometimes it comes to down right lies. I worked for a certain ISP signing people up for service, and if we were having computer problems, like a crash or something, we were told to tell customers that we were "upgrading" our system to provide "better customer service in the future". Which of course is a lie, because the network just sucked and was slow as crap, and the computer would crash and reboot all the time.

I don't believe any "feature" anymore as of Java, which marketed things like "architecture neutral", when I realized, it wasn't "architecture neutral" it was just designed to be an easily emulated architecture.

Re:Replace IE6 on XP machines?

With the instant scans of the checks, "check float" has been removed, and a big issue that banks had with some illegal behavior that most people thought were ok, is gone.

Check floating is not illegal. It's simply an artifact of the way banks work. You're probably thinking of check kiting [wikipedia.org], which is an illegal scheme that takes advantage of the float periods.

Re:Replace IE6 on XP machines?

Post-dating cheques is (from what I understand) either illegal or just not useful in the US - due to exactly what we're talking about here. Your money must be present in the account when you write the cheque (barring overdraft protection, etc).

In Canada, post-dating cheques is very legal, and very common. The provincial insurance companies accept post-dated cheques for payments due in the future, so it's certainly legal at that level.

I ran into this years and years ago when I first computerized the books for a small business - the vendor didn't provide any functionality for tracking post-dated cheques (they were a US vendor, and we were their first Canadian customer). When we called to request this feature, their response was "but post-dating cheques is illegal!". Pretty funny at the time. It took them over a year to get this functionality working right, incidentally.

Oh, and the banks here WILL honour post-dates. If I cash a cheque earlier than the day it is dated for, it usually gets caught. If it goes through by accident, it will be reversed (not as an NSF) and it's up to me to collect the money from the cheque writer.

Re:Replace IE6 on XP machines?

Well, you can make multiple IE installs now by unpacking the installation cab files into a directory and putting a file called something like "IEXPLORE.exe.local" (I think that's it) into the directory. Unfortunately, it won't show the proper version in the About box, but if you load a page that renders differently in the two versions you can see that it is in fact using the older renderer. This is what I do to do testing between IE5.5 and IE6 on WinXP now. Maybe this new version will install alongside IE6?

Welcome news

I had heard initially that IE7 wasn't going to be available for Windows 2000, and assumed that meant it wasn't going to be for XP either. If it works on XP, what would stop it from running on 2000 other than a Microsoft desire to cripple it so that people have one more reason they must leave 2000 which still works fine for most tasks [as long as it's well patched]?

Re:Welcome news

Windows 2000 is no longer in the windows labelled "mainstream support" so the less they have to deal with it the better for their support teams. On IEBlog [msdn.com], they also cite specifically why it can work for WinXP and not Win2K. It's because of the security upgrades done to XP in service pack 2 which they claim are not easily back-ported into 2K.

Lied to the EU?

Didn't Microsoft engineers claim, in court, to the EU that they couldn't remove Internet Explorer from the Operating System without breaking it?

Interesting seeing as Microsoft are now suddenly able to seperate the two (in reference to Windows XP, not Windows Vista).

Re:Lied to the EU?

That did not apply to windows xp but to windows 95 and me.

Maybe it could be done but this is the reason it will only be done for xp. On the other hand, having seen some of microsofts products it doesnt suprise me that a web browser which executes remote code (activex) is part of the os.

Re:Lied to the EU?

It's only a lie if an IE-less Vista isn't broken.

Re:Lied to the EU?

We're talking about Windows and IE here. Define "broken".

Re:Lied to the EU?

Technically they were correct. Think of it as if BMW rerouted the ignition circiut to make sure it passed through the car stereo. Technically, removing the stereo could render the car useless. Its a stupid design decision unless you're trying to monopolize the market in car stereos.

Re:Lied to the EU?

You can't completely remove IE without breaking things. A lot of third party programs use IE to display html, or use HTML Help (.chm) files. Without IE, Windows would have trouble running many of the programs Wine has trouble with (unless IE is installed).

Sad

Another divorce. Why can't Americans just stay together for the kids?

Re:Sad

Why can't Americans just stay together for the kids?

Because this marriage produces a kid every other day that has three eyes or extra limbs??

On XP

This is great news! However, will IE7 on a Win XP box simply be an add-on (a la Firefox) while maintaining the status quo for Windows Explorer and IE being linked?

Okay, but...

Will Windows Explorer still be able to function as a web browser once IE7 has been installed separately on XP?

I imagine a lot of users are quite used to typing webaddress.com into Windows Explorer, now. I suppose that should respond by launching the user's default browser with the command line argument webaddress.com, but is that what it will do, or will WinExplore still function as a browser?

Finally!

Next thing you'll know, maybe they'll realize that running executables out of the browser is a bad idea, and that an arbitrary execution flaw on CD insertion is NOT a feature.

WOW!

Is Microsoft actually going to add some stability to Windows? The whole ie==explorer thing has been a security and stability plague since it was introduced.

Great! Now to get Konqueror!

I'm sure I'm about to burn karma with this... but in KDE, Konqueror acts as both web browser and file manager. At least it's entirely userspace, but does anyone know how closely the file managing and web browsing aspects of Konqueror are tied?

Re:Great! Now to get Konqueror!

You are correct in noting that Konq is entirely userspace, which is why they can make it browse whatever they want it to. If you don't like it, you can use Nautilus or firefox or midnight commander or any number of other things. This is only a big deal for IE/Explorer because it is tied to the OS, and because it is really your only choice for many things.

As for how tightly tied konqueror is to itself, that's pretty much moot. Much of Konqueror's capabilities are provided by kioslaves, which are another layer entirely, and could theoretically be used by other apps. *Shrug*

Re:Great! Now to get Konqueror!

The problem with MS's version was that the whole freaking system crashed if IE crashed.

This isn't entirely correct. EXPLORER.EXE, which is tied in with IE and is largely responsible for the GUI, can be crashed by IE. This mucks up the GUI to the point where the system is apparently hung. However, the NTOSKRNL.EXE almost never gets faulted by these kinds of crashes and, in reality, continues to run even though the interface is completely hosed. This is analogous to crashing XWindows in Unix in the sense that X can be completely hung but system processes underneath it continue to function normally. The difference is that a Ctrl-Alt-Bksp will kill X and give you a command prompt, whereas Windows has no such option. There has been talk in the past of Microsoft releasing a command-line version of Windows Server (i.e. the GUI is optional), but AFAIK, that's just been talk with no real action.

Note that crashes that do fully lock up a Windows box are almost always caused by faulty drivers, usually video drivers because these run in kernel space. Linux is just as susceptible to faulty drivers as Windows is. I've had a number of servers up and croak with a KERNEL PANIC because of a faulty RAID driver. Dodgy hardware, poor cooling, overclocking, etc. also locks up boxes but this isn't a Windows-only phenomenon by any means.

IE7 is on the Rebound

Did you hear IE7 Separated from Windows Explorer?

Yes, I also heard she is now dating some new guy Winslow Vista.

meh

Will anyone who isn't currently using MSIE6 use MSIE7 on this news?

Good news

IE was integrated because the same kind of display used to show files and directories could be used to display web content, and it made sense to integrate the same technology in order to save on system resources.

Today, with people having more horsepower in their computer then they know what to do with, same goes for hard drive space, having a tightly integrated web browser / file browser doesn't make sense, and it has been a source of Microsoft's security problems.

Yes, you will still be able to type a web address in the file explorer in Vista and have a web page display . While explorer and internet explorer are no longer integrated, Vista will transparently switch between the applications and maintain the same window view.

I am sure that I.E. components will still be launched at system startup, to give Microsoft and edge over 3rd party browsers for quick browser launching, but by removing the integration with the file explorer, this will definitely be a welcomed change that should offer better security in the long run, which Microsoft desperitely needs.

Back in the Day

I thought that integrating IE with Explorer was a great idea. I talked about it with other techie friends. We all agreed that it would be a "cool thing". Truth be told, it still is a cool thing. I'd love Mozilla to be my official interface to my hard drive as well as the web. Unfortunately, security in such a situation really is tough. In our networked world, there is too much malicious and flawed software/content out there. And so we go backwards feature-wise in order to secure ourselves. Unfortunately this is happening in a lot of places, not just in technology. I'm taking this way beyond the original context, but "The well-being of mankind, its peace and security, are unattainable unless and until its unity is firmly established." We can't truly be secure anywhere until we can trust others. And we can't trust others until we have justice. And we can't have justice until we all recognize at a deep level that all human beings are equal. This recognition of the unity of humanity must acknowledge our diversity. Living in harmony is a goal, not a means. The means is the recognition of the unity of humanity.

So this explains the delay?

Microsoft mentioned it was due to security designs in Vista.

I doubt though that something so integrated into windows explorer can be seperated and reprogrammed into a seperate application within the extra 2 months.

Its alot of work not to mention may break many applications. For example cdroms that use autoplay sometimes display html and javascript in the windows explorer menu in a seperate pane. I suppose you could reprogram windows explorer to just call an IE7.dll to display it.

But Microsoft was found guilty of merging IE into a million libraries so third party apps would not function without IE and infact required it. Even a command prompt program that uses strings requires IE as a result.

Thank god I am not on the windows development team.

So in other words...

So in other words, now that they've won the browser wars at the expense of OS security, they'll unbundle it now.

Damnit

It was so much nicer here in hell before it froze over.

Summary is misleading

and will be able to replace IE6 even on XP machines

You've always been able to upgrade IE on its own. Heck, I remember installing IE4 over IE3 on NT ten years ago. This is hardly a new feature for IE7.

Didn't we...

already hear about this? This is old news. Microsoft is a little Dutch boy sticking his finger in a flood.

I'm Sure That

I'm sure that this isn't the only security warning Microsoft received -- and ignored -- at the time. Will this convince them that they don't know everything while the rest of the world knows nothing yet?

konqueror

So, should Konqueror listen to the advice too?

I could swear I remember

Didn't MS say something to the effect that IE was so tightly bundled into Windows that it would be impossible to remove?

Uninstall

Microsoft has decided that when IE7 comes out with Vista it will no longer be a component of Windows Explorer

Yes! I can finally completely uninstall it from my system!

Actually, I'll just stick to my Mac.

Hilarity!

Now what are the odds that this security-increasing effort manages to introduce some more fairly blatant security holes?

FTP Evidence

I installed IE7 (let me explain) and the FTP functionality in it is just like directory listings like Firefox has. I use IE for ftp just so I have the ease of a Windows Explorer-like interface for FTP. So I can't do that with IE7. But, if I open windows explorer or any folder, I can put an FTP address in that address bar and it works just like IE6 with the explorer interface. Unintentionally, I found out when I installed that it kept it separate. Interesting...

What about windowsupdates

So does that mean that it will be possible to run windowsupdate from within Firefox (or from any other non-native browser)?

Bout Friggin Time

Gee, how long did it take them to figure out what people knew from the beginning? Security and IT professionals have flogged this as a major security risk from day 1.

All I can say is that now that they have done this, I'm beginning to believe that they want to build a decent and secure product for their customers.

it already has

I downloaed the IE7 beta 2 for XP yesterday and you can see that explorer is no longer tied at all to the web browser. Going to slashdot.org in an explorer window starts the default browser now.

Good for web devs?

In theory, if it is decoupled, you could run multiple versions of IE on the same machine to test compatibility. This will save QA departments from having to use virtual machines or seperate machines to test each version of IE. Granted, if IE stuck to standards, you wouldn't have to test in every browser known to man, but at least this is a compromise.

Glad to hear it

Just the other day I went to open an HTML page I'd made in IE7, to check that it rendered properly. After fumbling around for a few minutes wondering where they'd hidden the menu bar (yeah, clever one, Microsoft, give your most-used program a UI that flies in the face of 20 years of convention, and don't tell anybody you need to hit the ALT key to bring it up, that'll go down a treat with Joe User), I selected "open", browsed to the file... ...And IE7 opened the page in Firefox, my default browser!

Clever, eh?

It just doesn't matter, it just doesn't matter...

What really struck me about this is that Microsoft can make a horrible design decision, at least from a security point of view, continue making that mistake for 10 years, and it doesn't dent their market share.

Tomorrow, they could decide to leave IE and Windows Explorer integrated. But it just doesn't matter.

The early reviews I've read on Vista have been lukewarm, but it just doesn't matter. Vista is delayed again, and again, features are pulled out, then it is delayed again, but it just doesn't matter.

No matter what Microsoft does, 90% of the worlds PCs will be running their new OS at work and at home in a few years when their PCs are cycled.

Even those of us that replace Windows with some kind of Linux are still paying for the Windows license. The only way to not pay Microsoft is to go Mac.

Why do I not trust the security fix of this?

Why do I have this nagging feeling that this will fix exactly NOTHING from a security perspective and instead is meant to drag us evermore into MS's tentacles? I honestly can't imagine MS ever doing anything just because it's a good idea. MS first and foremost thinks of what's good for MS. You are a side effect. That is their business model. Mod me down as a hater but prove me wrong first.

Podcasts. Oy vey.

Why the hell can't these folks give a WRITTEN transscript along with the podcasts? Podcasts are just audioblogging, and audioblogs suck [idlewords.com]. Let me read the damn thing, please.

Another story posted by people that don't get it..

Another story posted by people that don't get it...

How many of these stories a day are we now going to get?

IE7 replace IE6? WTF, That has always been possible.

Also Explorer uses the IE 'rendering' dlls, it doesn't use Internet Explorer.

There are so many things wrong with this post and story I don't even know where to start and won't.

If you don't get it, don't post it.

Too bad it won't be out in fall

Too bad it won't be out in fall like the article/Podcast reports.

Just another inconsistency by substandard reporting.

You don't quite understand

IE7 will do a lot of great things for Windows XP, but it won't remove the IE subsystem from the OS. Doing that would require almost a complete rewrite of XP (which is what Vista is moving towards) as everything from the aforementioned file manager to the built-in help file viewer relies on the IE subsystem to render to the screen. What IE7 DOES do for XP is basically implement a lot of the security bonus of using FF, like blocking activeX controls, etc. from automatically running, fixing the stupid BHO (browser helper objects) model, attempt to prevent phising and so on and so forth. The true power of the new approach will be evident when Vista comes out. In Vista, IE7 will now run only in user mode (seperate from the kernel), only allow file access to the temporary internet files folder, and more (which can be found easily by googling for IE7 info). It will truely be a godsend to people who have to deal with the consequences of the stupid way IE is now (read: spyware whore). I've had the beta version of IE7 installed on my XP machine for over a month now and it's actually very nice, of course it is still not as secure as using FF, but it doesn't have the FF memory leak feature, and in terms of functionality it has most of the features you use FF for. It just doesn't have the theme/extension architecture that FF does, which sucks, but will probably change (well the extension part, MS seems to have a penchant for denying user customizable UIs). And yes, you can rollback to IE6 just fine whenever you want.

UI latency

Hmm, good, could decrease 2k/XP UI latency maybe?

Like the -lite series of products.

beta

I am currently running the latest beta release from 20th of March on windows xp and I DO NOT have IE installed at all. Apparently when you install even the beta of IE 7 you are allowed to uninstal IE compleatelly. Now this might only seem to be the case so I am not claming that MS have really removed the IE explorer linking. IE 7 shows up as a windows update just like Media Player and all the security updates. Also since I removed IE from the system components I experienced an IE crash for no apparent reason and some other weird behavior like after the crash the reboot and system load took forever. Since then everything seems to be working fine. Well it is a beta so bugs are expected and I am really not complaining. Just letting you know what my experience has been so far. Also the latest beta seem to be a slightly polished version compared to the previos one but clicking on links that open in new window is sometimes a problem.This is apparently not the final verion of IE 7 and some of the features are likelly still missing so if you decide to use it keep that in mind. It is a step in the right direction though and will give Firefox some very stiff competition as the quality of the software seems to be somewhat better.

Wow.

Didn't they just tie Windows explorer and Internet Explorer together so they'd win that antitrust battle?

Good news

It's about time. This should help with security, I would think. I wonder if they'll be able to keep the functionality the same across the board... whats going to happen when you type C:\Windows into IE - or www.google.com into Explorer? eh n/m I'm sure they thought of that...

Seperated?

Internet Explorer is made up of lots of DLL's almost all of which will stay in windows:
* mshtml.dll -- Handles all the HTML rendering, is needed by lots of shell components
* jscript.dll -- The Javascript engine -- like vbscript is part of Windows Script Hosting
* wininet.dll -- The API that handles the communications on the Internet -- gotta stay!
* urlmon.dll -- Implements the IMoniker interface to retrieve things via the Internet -- stays.
* shdocvw.dll -- Implements the shell (what's inside explorer.exe) and also IE (what's inside of iexplore.exe) this they might actually seperate. But I doubt it, or even if they do there will be a shared library or lots of cross calls.

Anyway...

"IE cannot be separated from Windows"

AFAICR Microshaft told the justice dept they couldn't separate the OS from the browser when they were pretty close to getting their ass split. Now all of a sudden this seems to be possible.

IE7 Beta 2

You can remove IE7 Beta 2 from Windows XP via Add/Remove programs with no ill affects. The IE7 installer caches the installation files automatically so that this is possible. Kind of like being able to remove SP1 (no way to remove SP2 without a format or reinstall of WinXP, no matter what Microsoft claims, try it and watch Windows get hosed). I installed and uninstalled it last night, before installing it again, just to try this theory out.

Great news

Although I think it is a good move for increasing security in IE7 from Microsoft and deserves kudos, I also believe it's great news for FireFox and Opera.

Microsoft will no longer be able to claim that the browser is inseperable from the system, so anti trust laws can be used to force MS to supply Windows without IE, or with FireFox and Opera.

SharePoint ??

how will this work for "Explorer" view in SharePoint world, according to which they sold 73 million licenses already?

Tabbed Windows Explorer??

Is there any chance of getting nice tabs in Windows Explorer? I love the tabs in firefox, and I would love to have them in Windows Explorer as well. Does anyone know if this will happen?

IE7 Separated from Windows Explorer?

Now if they could just separate Windows from most machines sold in the U.S.

IE7 standalone?

Great!!!
I'll still use Firefox.
=P

Think about it this way

The difference between tightly-integrated and flexible, modular construction is probably best illustrated by an analogy from another domain.

If you want a hi-fi system, there are two approaches you can take. Either you buy a ready-built system in a box; with a radio receiver, turntable, CD player, cassette decks and amplifier all in one package. You just connect the supplied loudspeakers, plug it into the mains and you're ready to listen. Or you can go for separate components: a radio receiver, turntable, CD player, cassette deck, amplifier and speakers, each in its own box requiring its own power supply and audio signal connections.

Now, with the all-in-one option, you're fine as long as it all keeps working perfectly. But then if, say, the cassette deck packs up and you have to take the thing in to be repaired, you lose the use of the entire system. With the separates, you can take any component {except the speakers or amplifier, obviously} in for repair and still have the use of the rest of the system.

There's no reason in principle why modular systems should be any more difficult to set up and use {especially since audio and mains connectors are standardised nowadays}; but "one box solution" vendors like to tout as an advantage the concept that you, the paying customer, might be too stupid to follow a set of simple instructions. It's also quite reasonable to assume that any piece of mechanical or electronic equipment will break down sooner or later.

Isn't it already separate in XP?

I tested an install and then a subsequent uninstall of IE7. Strangely that broke my IE6 install. All my links are caught by Firefox. Even if I type the url in the IE6 address bar a new firefox window opens up to take that link.

Inspite of this Windows Explorer's working fine. Am I missing something?

No local folder browsing in IE 7

Not only do URLs not open in explorer.exe windows, IE 7 won't browse local folders in its own window. I used to run instances of IE 6 as an administrator for this reason, so I could easily access local programs, files and folders with administrative privileges (and yes, I was careful to avoid accessing anything on the Internet other than Windows Update when using IE 6 in this manner).

This new behavior is probably for the best.

Re:OMG!

Uh, no. The Mac people were right! :P

Re:Why not just buy a mac-mini?

Cheapest Mini I see is $600 without a monitor.

You can buy/build a much more powerful PC for $600, install a Linux distro of your choice, and run Firefox.

for that matter, why not just install Firefox?

Re:Is ActiveX gone too?

I think so -

http://www.microsoft.com/windows/ie/ie7/featuretab le.mspx [microsoft.com]

Disables nearly all pre-installed ActiveX controls to prevent potentially vulnerable controls from being exposed to attack. You can easily enable or disable ActiveX controls as needed through the Information Bar and the Add-on Manager.

From here
http://forum.pcstats.com/showthread.php?t=35534 [pcstats.com]

The beta of Internet Explorer 7 is neat to play with but it has one quirky feature where it does not allow users to install unsigned Active X controls. Unfortunately since it's still beta, virtually all Active X addons (like Shockwave, Flash) are unsigned which means they cannot be installed by default. Trying to do so causes IE 7 to spit out an error message.
Not all is lost however, if you load up the Internet Options (Tools -> Internet Options...), click the "Security" tab and in Internet security settings click the Custom Level... utton. In the "ActiveX Controls and plugins" section, find the "Download unsigned ActiveX Controls" option and change it from "Disable" to "Prompt". After that's done click the OK button and you're set!

He he, "one quirky feature". Way to miss the point. Note that you can disable Download Signed ActiveX controls too, or make at least make it prompt you.

There's a best practices document here
http://msdn.microsoft.com/library/default.asp?url= /library/en-us/IETechCol/cols/dnexpie/activex_secu rity.asp?frame=true [microsoft.com]

I think the basic problem is that they still want to avoid breaking websites that rely on ActiveX as much as possible. You can see lots of stuff in that document which means that some ActiveX controls will still automatically on a webpage. If anyone develops and exploit for them and you run it on XP as an admin, you have a problem. Of course, if the user knows what they are doing they can make it secure, but the default setting is more geared to compatibility than security.

Re:That explains it..

I'm running the IE7 beta, and yeah... if you type in a URL in Windows Explorer, it now launches a separate IE7 window (instead of just opening the URL inline).

I actually prefer the old behaviour, but whatever.

KDE is one thing, but for GNOME...

The web components built into GNOME are only good for rendering simple HTML and XML and do not have any active scripting features/plugins etc. Think of it more as a preview for web documents, like image thumbnailing.

Re:That explains it..

Weird, doesn't do it for me. I get the page in the explorer window. Perhaps you've enabled the "launch each folder window as a separate process" thingy?

Re:That explains it..

Check Program Access and Defaults(under Add/Remove software I believe) in Win2k/XP and you'll easily be able to set IE back to being your default. AFAIK, Firefox does EXACTLY what MS recommends as best practice for setting itself as your default browser. FYI, file associations have NOTHING to do with Program Access and Defaults.

In addition, I just verified in IE 5.5 and 6.0 that there's a checkbox under 'Tools\Internet Options\Programs' that will tell IE to check at startup whether or not it's the default and prompt you for the appropriate actions.

HTH

Re:That explains it..

Now try opening a URL from a WORD or EXCEL doc. Or try any launcher program developed by a lazy programmer who doesn't want to check for other browsers(ie. City of Heroes). Gee, it's amazing how easy it is to blow a hole in your theory.

Re:Why not just buy a mac-mini?

I'd choose Camino over Safari. The interface is a bit worse, but it's more stable.

Re:IE7

Windows can operate just fine without mshtml.dll and the activex ie component guids.