To hell with Microsoft's rule against IE virtualization

Microsoft doesn’t support IE6 virtualization, but some IT shops violate their EULAs to run virtual Internet Explorer because the benefits outweigh the risk.

It has come to my attention that I may be breaking the law. I've been using VMware's ThinApp to run Internet Explorer...

6 on Windows 7. Now I'm worried that the Microsoft licensing police might knock on my door and drag me down to the county jail.

Last year, Microsoft sent out a letter explaining to customers its position against using application-virtualization tools for running more than one version of Internet Explorer on a single OS:

Microsoft does not support the use of Microsoft Application Virtualization (App-V) or similar third-party application virtualization products to virtualize IE6 as an "application" enabling multiple versions of Internet Explorer on a single operating system. These unsupported approaches may potentially stop working when customers patch or update the underlying operating system, introducing technical incompatibilities and business continuity issues. In addition, the terms under which Windows and IE6 are licensed do not permit IE6 "application" virtualization. Microsoft supports and licenses IE6 only for use as part of the Windows operating system, not as a standalone application.

I have no problem with the first part of this statement. It's entirely within any vendor's rights to indicate what configurations it will and will not support -- even if such statements ignore customer problems. After all, it's hardly realistic to expect every possible configuration to be supported; not even Microsoft has that level of quality assurance (QA) resources. I do take issue with the final sentence: "Microsoft supports and licenses IE6 only for use as part of the Windows operating system, not as a standalone application."

In some respects, Microsoft is right. IE6 is an intrinsic part of the Windows XP operating system, and it has been since the company tied Internet Explorer to Windows in the 1990s. If you remember, bundling the IE Web browser with Windows got Microsoft in legal hot water with regulatory bodies on both sides of the pond. The company had to prove that removing IE was detrimental to the operating system.

It's that "integration" that makes the abstraction of IE6 tricky. But application virtualization tools from vendors such as VMware and Symantec have cracked that nut and are able to run virtual Internet Explorer, proving that an abstraction is technically possible. Then why did Microsoft make this move? Well, there are a number of reasons.

First, there are indeed security problems bedevilling IE6 that can only be fixed by upgrading it to a new version. So to some extent, Microsoft sent that letter to customers as part of a "CYA" process. By washing its hands of supporting IE6 virtualization, Microsoft is making sure that if something horrible happens to one of your users while using a virtualized version of IE6, it won't be Microsoft's fault. But this position ignores the fact that most application virtualization tools offer ways to control browsing with IE6.

Admins can use application-virtualization software to allow and disallow certain Web functionality to specific apps. So, an administrator can specify that IE6 only functions with an internal portal or Web app that requires it and that all other URLs default to a more modern and secure browser. Of course, not all admins follow security best practices. For that reason, Microsoft probably thinks it is safer not to support the practice at all.

Second, by not supporting IE6 virtualization, Microsoft puts pressure on customers and the wider ecosystem to abandon legacy Web browsers. Given a choice, most customers would love to standardize on a single browser such as IE8. The sad reality is that most large customers simply don’t have this luxury.

For instance, some legacy apps cannot be upgraded to be compatible with a new browser, and when the costs of rewriting those apps are weighed against giving end users access to IE6, it makes the virtualization of IE6 highly attractive.

Microsoft also missed an opportunity in not allowing its own application virtualization offering, App-V, to support IE virtualization. By failing to support and provide QA for it, Microsoft has opened the door to its competitors. The moral of the story: If you fail to support a configuration that's important to your customers, your competitors will find a way to solve your customer’s problems. Microsoft gave its competitors a calling card to its loyal customer base.

So what do I think will happen? The savvy customers who are used to playing hardball with independent software vendors (ISVs) will simply ignore Microsoft’s letter. Early server virtualization adopters faced similar barriers when ISVs simply refused to support server virtualization because it was new, different and something they didn’t have QA resources for.

The irony is that the ISVs that refused to extend support to their paying customers  used server virtualization for their own internal infrastructures. The same goes for licensing policies that prevented end users from moving virtual machines from one physical host to another. Now, live migration is a widely supported and widely used practice.

So, I've got a radical take on the whole issue of restrictions encoded in End-User License Agreements (EULA). If the restrictions aren't enforceable, ignore them. This is precisely what I did with server virtualization, and I will be doing the same with application virtualization.

I recommend to my customers that they look at the security and compatibility issues on an application-by-application basis. Where there are incompatibilities, we will test the Web app against an equally modern Web browser such as Mozilla Firefox or Google Chrome. If those prove to be unreliable or unpredictable, we will allow selective use of IE6, albeit bolted down so it works only with prescribed portals. By doing this, we will be maximizing security but not at the expense of usability.

Read more from Mike Laverick

Mike Laverick (VCP) is an award-winning expert and author who has been involved with the VMware community since 2003. He is a VMware forum moderator and member of the London VMware User Group Steering Committee. Laverick is the owner and author of the virtualization website and blog RTFM Education, where he publishes free guides and utilities aimed at VMware ESX/VirtualCenter users.

Dig Deeper on Application virtualization and streaming



Find more PRO+ content and other member only offers, here.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: