Comment Re:My thoughts. (Score 1) 84
He recommended deploying an alternative browser, not replacing IE altogether. That way when IE has a bad vulnerability you notify everyone to temporarilly use the alternate on external sites, use group policy to disable vulnerable features, or even block it at the firewall depending on the severity. They can keep using IE internally during that time. Then when a patch comes out you deploy it and lift the restrictions. The next week when firefox has a zero-day, you do the same for it, and recommend people use IE for the time being. It is a very sensible way to allow the most productivity possible while staying secure.
If they really need to use Active X on externall websites during a vulnerability, you can whitelist those sites in Group Policy if needed, but honestly I would just consider the downtime a cost of doing business with outdated insecure technology in most cases. Cleaning up a bad worm/virus that spread through the entire campus could be much more expensive.