Q&A: Microsoft's Nash Explains IE 8's Enterprise Advantages

Microsoft has reached the Release Candidate 1 stage with Internet Explorer 8, which suggests that the company's newest Web browser will get released to the Web as a final product fairly soon.

On Friday, Redmond magazine spoke with Mike Nash, Microsoft's corporate vice president for Windows product management, about the status of IE 8 RC1. This article is an edited version of that interview. Nash contended that IE 8 has been specifically designed with an eye toward meeting the needs of IT professionals in enterprise environments. Nash spelled out a number of technologies in IE 8 that will help IT pros manage their environment, while also providing updated browser features for end users. Some key user experience improvements include "accelerators," which are pop-up lists of common tasks associated with an object, as well as "Web slices," which let users keep track of when their favorite Web sites get updated.

IT pros have the ability to manage IE 8 through the use of group policies; Microsoft has developed several templates to make things easier in that regard. In addition, a tool called the IE 8 Administration Kit (IEAK) facilitates browser customization as packages, which can aid overall browser management. A new slipstream capability that works with Windows and IE 8 creates images faster, speeding up browser distribution.

Finally, Microsoft included a number of security technologies in IE 8. The SmartScreen Filter helps warn users when they are about to visit a malicious Web site. A cross-site scripting filter helps avoid the theft of personally identifiable information from the user's browser. Clickjacking protection can be used to stop embedding pages within a site, which can be a security problem. A data execution protection feature in IE 8 can help stave off code injection using data buffers. IE 8 also includes two kinds of ActiveX protections for end users.

Redmond: What sorts of changes are being made in IE 8 now at the RC1 stage?
Nash: We'll fix bugs and we'll refine features but we're not going to change the feature set late in the process. Our dream is that it becomes more appropriate to treat our beta like a release candidate, and our release candidate more like a final.

Right now, we have a release candidate out there and are working hard toward final code. One of the things we want to make sure is happening for enterprises using either Windows XP or Windows Vista [is] to be evaluating and getting ready to deploy Internet Explorer 8 against the key things that they're using [their] browsers for in their environment. And, if you're evaluating Windows 7, make sure you're testing IE 8 in that context.

What are the main concerns of IT pros that the IE 8 team has considered?
There are three things in the IT space that you always hear about. One, support the business. Two, do more with less. And three, provide support for service level agreements.

The goal of the enterprise is to be able to balance each of those business end users and the mission of those enterprise IT people. And what I think about [is] what we've invested in relative to those missions with Internet Explorer 8. I think about it in the context of things we've been doing to help improve the manageability and control over the network with IE 8. I think about the tools we've wanted -- to make sure we can deliver more deployability with IE 8. And the third area is really about reliability and security. The enhancement through our approach in those areas [is] to address the needs of the IT person while still providing the flexibility the end users depend on.

What does IE 8 have that specifically helps the IT pro?
The first thing is to make sure that we have a high manageability of the browser. In particular, [we want to make] sure that we have group policies as a way for the IT administrator to decide how the browser is going to be configured -- what am I allowed to do [and] what I am not allowed to do -- because people are spending much more time in the browser running applications on the Internet and on the intranet. So, making sure that we can have a high level of control [is a priority].

Now remember, IE 7 is already the most manageable and deployable browser out there. But the goal here is to use even more [of what is] invested in this space with IE 8. So, for example, we can now support a hundred more group policy settings for browser deployment, configuration and customization. So for example, IT can specify the browser default rendering mode -- is it compatibility mode by default or is it standards mode by default? IT can configure which "accelerators" and search providers are going to have control. IT can control the behavior of the SmartScreen Filter, which I'll talk about in a few minutes. Now, we already had about 1,200 group policies before. Now, with a hundred more, we've got about 1,300. So really, it's about making sure we're just continuing to invest against our commitment of making the product more manageable for the enterprise.

The group policy work is part of the product by default. You have the ability to use the group policy management tools to control these things. There's a pretty healthy ecosystem of group policy templates out there, as well. I should mention that in RC1, there's pretty good group policy that we have, like the ability to control connection limits, the ability to control in-private browsing, the ability to decide how compatibility is going to work. These are all key things to help the IT administrator both address things for the end user, but also to make sure that they are spending less money doing it, and they're having a more dependable experience.

As I think about the work we're doing about deployment, one of the key things here is the continuing investment in what's called the IE 8 Administration Kit. And that's to provide the ability for both ISPs [and] also enterprises to configure the browser that they want to have deployed. So, for example, if I'm an ISP -- more so outside the U.S. than inside the U.S. -- I go to my ISP and I get a browser. And that browser is configured to both help me as an end user to have a better user experience with my ISP, but at the same time it's also configured to help make sure that I can deliver features that differentiate my Web site from other Web sites.

In the enterprise, it gives me the ability to control what accelerators are preinstalled, what "Web slices" I want to have preinstalled, and the language that is being used. As an IT pro, I may want to have multiple configurations of the browser. I may want to have one for the marketing department, with accelerators that are appropriate for the marketing guys. And a different configuration for the finance department with things that are appropriate for finance department. IE 8 lets me do that, and that -- combined with a new capability that we have between Windows and Internet Explorer called slipstream installation -- makes it very easy to configure and deploy IE 8 in a customization that's part of a system image being deployed on desktops. Just to give you a taste of that, if I wanted to build a custom image using Windows XP and IE 7 today, that can take two or three hours to configure that image. With Windows Vista and slipstreaming IE 8, I can do that in about 15 minutes, so it's a pretty major change from the past.

There's a suggestion that Windows 7, the latest build, will be able to detach IE 8 from the operating system. Is this something you can talk about?
I saw the same sort of thing [on the Internet]. Allegedly, an internal build [of Windows 7] was leaked. I really can't talk much about that. [Editor's note: Microsoft has confirmed this capability since the interview.]

What can you tell us about when IE 8 will be available?
I can't say much, except that we've released a release candidate now and are working hard to get it [IE 8] done. We have an opportunity to talk about the feature set now and a call to action now, which is really about making sure that if you're an enthusiast, the sites you go to are working great, so we know about it. Enthusiasts help the rest of the population. If you're an IT person, make sure your Internet applications are running now so that when we do go final, you're ready to go.

When we go from release candidate to final, I think the big news is going to be, "Wow, the testing work didn't make a bunch of changes," and they really didn't. I can tell you that now and you can believe it when you see it.

A Web site suggests that March 16 is the release-to-manufacturing date for IE 8. Is that so?
I can't really...I love the Internet, but I can't comment on rumor or speculation.

I know that Microsoft found that JavaScript rendering was a small part of the user experience, but was that worked on in IE 8? And what does it take to speed up JavaScript rendering in a browser?
For most Web sites, JavaScript is about 20 percent or less of the code path on the Web site. So the benchmarks you are seeing comparing one browser's performance on JavaScript to another -- it's not clear that it's the most relevant benchmark. What really matters is how fast the Web pages get rendered.

We actually did a test looking at the top 25 Web sites, based on comScore traffic. We looked to see how those things performed on Internet Explorer versus Chrome shipping version, versus Firefox shipping version. We found that of those 25 sites, Internet Explorer was faster than the competition in 12 out of 25. And then, on the rest of those sites, no other browser passed with the winner [as much as] Internet Explorer. And where Internet Explorer was not the fastest, we had to slow down the playback of the video capture to see the difference. So, in general, you're not going to see a difference with the naked eye. It's less about how fast does the page come up and more about how quickly I can complete the task.

A lot of what people do on their Web browser is cut and paste...The thing about accelerators is it reduces that amount of time I spend cutting and pasting, because I can take any text from a Web page and use it as an object for how I interact with other Web sites...Overall, we think that in terms of helping people get more productive, both as end users and at home, but also in the business space, the combination of accelerators, Web slices and "visual search" will trump any performance issues we'll see. It's not inexpensive, because in areas where we've had performance challenges in IE 7, we've done a lot of work in IE 8 to improve those, and now we've kind of upped the game to talk about a whole new aspect of my browsing experience.

What about security in IE 8?
There are really two things you've been hearing about. The first thing is reliability with security. From a reliability perspective, the thing we all have to remember is that in some sense, the browser is the place where a Web page executes. And when those Web pages have issues, in the past the execution place was discredited. So a lot of work was done to reduce the ability for a Web page to bring a browser down. But we also changed the architecture such that when the Web site does impact the browser, rather than bringing the whole browser down, it's isolated to just the tab where the page was running. So [with IE 8], you'll see the likelihood of this happening in the first place [will be] much lower, and where it does happen, it brings just that tab down, not the other tabs or other instances of the browser. And what's kind of cool is that when we automatically bring that tab back, we bring it back with as much context of where it was when it crashed as possible...That's a pretty big change from the past, and also a pretty big difference from the competition.

The second thing we've done is added something called the SmartScreen Filter. This is really based on a lot of the reputation charts we've built with the Microsoft Phishing Filter. We've all done a search for a word like "anti-spyware," and you're taken to a Web site that you think is a place where you can get an anti-spyware tool. Ironically, what people are doing is taking advantage of people in trouble and tricking them into loading more spyware. So we know what these sites are from our anti-phishing tool. We can actually use these to help use the browser to inform the end user that a Web site they might be going to is bad...Even with the beta testing of IE 8, we're actually having a real impact in stopping what otherwise would have been a real attack vector for deploying malicious code on unsuspecting consumers' [browsers].

Another security feature is a cross-site scripting filter. We've all talked about cross-site scripting as kind of an emerging threat, where you take script code from one page into another page. And this has been more and more of a threat in the way that personal information has been stolen -- cookie stealing [and] other forms of identity theft. You think you're on your basic Web page but in fact you're on a different page. [The cross-site scripting filter] is a way for us to stop those kinds of attacks. As part of that, remember, there's no one silver bullet with security. It's a number of different techniques which together add up to be in-depth. With this approach, we have a new feature called clickjack prevention where I can actually tag my Web page to say I should never be embedded in another Web page.

There's also data execution protection in IE 8. There's a form of attack where people inject code into a data buffer, an unchecked data buffer, and pass the data buffer with a piece of code that basically executes that code that was injected because of an unchecked buffer. In Windows XP Service Pack 2, we began shipping the OS with data execution protection. So, both in software and hardware, we can make sure that the information stored in the data segment can never be executed as code. We weren't able to do this fully with [earlier] Internet Explorer [versions] because there were some cases where there were older coding practices, where people were actually doing what's called just-in-time coding generation -- where they are actually stuffing code into the data segment. It's known to be a bad practice. Now that it's more or less gone away, with IE 8 we can turn on data execution prevention by default.

Another security feature in IE 8 is "per-site ActiveX control." We all know that ActiveX controls are very powerful way of programming Web sites. We also know that the ActiveX control for one site can be used in ways that they weren't intended on another site. So, now with IE 8, we can actually have a Web page ActiveX control that is only supposed to be used with a particular domain.

We also have something called "per-user ActiveX control," which allows an ActiveX control, while installed, only to be used by Mike Nash and not by other users on a PC...We get to maintain the good part of ActiveX controls while minimizing any risks that might be associated with them.

What do you want people to know about IE 8 RC1 at this point?
The key thing that we are really focusing on now is to remind that we are treating our betas like release candidates, and our release candidates like final. Now is the time for IT to be evaluating IE 8, to be making your applications work well with IE 8...If you're a customer using XP, no problem being on IE 8. If you're a customer using Windows Vista, no problem being on IE 8. And if you're customer evaluating Windows 7, you should absolutely be evaluating IE 8, as well.