I've privately and publicly lamented Microsoft's bizarre business decision in the mid-1990s to integrate Microsoft Internet Explorer (IE) deeply into Windows. Starting with various OEM versions of Windows 95, IE went from a simple bundled application that could be cleanly removed from the OS to an integral system component. In Win98--and the associated Shell Update Release (SUR) for Windows NT 4.0 and IE 4.0 with Shell Integration for Win95--IE was elevated to become the Windows shell, the GUI responsible for interacting with the user.
Before IE's integration, Windows Explorer was simply a more powerful version of the Program Manager shell from Windows 3.x, with extensible COM-based interfaces that made the environment more powerful and attractive to third-party developers. However, with the IE shell integration, Microsoft was seeking to meld the UI for the Web--a single-click, hyperlink-based paradigm--with the UI for PCs--a double-click, icons-and-windows system that typically dealt with only local and networked files and locations. Microsoft is still working on this integration: In Longhorn, supposedly, IE won't even be a separate application from the end user's perspective; instead, the differences between local and remote resources will be blurred even further.
You can make the argument that melding the UI for local (hard disk-based) and remote (Web-based) resources is reasonable. After all, why should users need to learn two separate sets of UI paradigms? If the Web interface is so easy to use and universal, why shouldn't the company apply it to local file browsing as well? Indeed, these were the questions Microsoft asked as it developed Win98 and IE 4.0. And though the company tried to make the one-click, Web-style UI the default in those products, users recoiled and demanded that the old style be returned as the default. So by the time Win98 shipped with IE firmly ensconced as its UI, Windows Explorer still acted like the old Windows Explorer, despite the technology that drove it. But as a side benefit, the shell was now buggier and less secure.
My problems with Microsoft integrating IE into Windows at the time could be summed up by one word: immaturity. Here was a product, barely a few years old and developed largely by fresh-faced recent college graduates, that was being thrust into one of the most mission-critical situations in IT: It would replace the core Windows UI. And IE's immaturity showed, as the previously rock-solid NT began succumbing to a mind-numbing number of shell-based reliability problems. Microsoft worked furiously to fix these problems over the years, and in NT-based products such as Windows 2000 Server and Windows XP, the IE shell is indeed a lot more resilient and reliable. But NT's previously impressive reliability record was forever tarnished.
Alarmingly, it also seems that Microsoft integrated IE with Windows solely to stave off competition from Netscape, which threatened Microsoft's Windows monopoly by providing a browser-based platform that could potentially render Windows obsolete. Because Microsoft made browsing part of Windows, Netscape had to compete with a dominant OS, rather than an immature browser product, and Microsoft could bring its massive industry strength against the smaller company more effectively. Yes, Netscape, like the Soviet Union, would have fallen apart on its own, eventually. But Microsoft helped it along, and today, we're stuck with the results of that decision.
IE is also the source of numerous security exploits. An integrated IE means that your Web browser--most people's portal to the outside world--can be the conduit through which viruses, worms, and other Trojan attacks could be launched against your PCs. And IE has definitely been that conduit, with Microsoft releasing dozens of IE-based security patches over just the past few years alone. One of the major "features" of XP Service Pack 2 (SP2), now due in early August, is a set of IE security fixes, including pop-up ad blocking, plug-in management, and low-level security zone changes that minimize the effects of dangerous ActiveX controls.
What's astonishing about this situation is that Microsoft could reverse all the bad effects of IE simply by removing it from Windows, a tactic it has refused to follow. Instead, under court order, Microsoft provided a way to hide IE so that users could choose to use a different Web browser without being bothered by the presence of IE on their systems. Like the overall US antitrust settlement that brought about this requirement, however, hiding IE is a nonanswer to a serious question. Because IE is still installed on your system when hidden, users are still in danger of attacks exploiting IE bugs. And because IE still pops up, unannounced and unwanted, for various tasks (e.g., system updates through Windows Update), it's still an attack vector, even for those people who explicitly chose to get rid of it.
Now, I've received a bit of feedback from people suggesting that my anti-IE stance is a "Chicken Little" response to a more general problem--that removing IE isn't going to solve anything. I've also seen some interesting discussions about the IE "monoculture" that suggest that IE is attacked only because, with about 95 percent of the market, it's an obvious target for hackers. A more balanced market, some believe, with two to three major players, each with nearly identical market share, would be safer for users.
Perhaps. I agree that IE is attacked, in large part, because that's where the victims are. But IE is also a stereotypical Microsoft product that the company cobbled together quickly, then spent the next several years patching repeatedly until the result was a patchwork of poorly designed code that might never be truly secure. In other words, like the Netscape example, IE would have folded under its own weight eventually, but clearly its market dominance attracted hackers to it much more quickly.
What bothers me about all this is that no clear advice emerges. Personally, I feel that you should avoid IE at all costs and design Web sites, intranets, and extranets to be platform agnostic and work equally well with all browsers. Switching to a new browser won't be a cure-all--in the past week, new vulnerabilities in both Mozilla Firefox and Opera Software's Opera highlighted this fact. But it's unlikely that a little-used browser such as Mozilla Firefox will incur the number of vulnerabilities that IE faces each year. For so many reasons, I think it's time for enterprises and businesses of all sizes to start seriously considering switching to a new browser. IE is just too unreliable and too dangerous to ignore anymore.