News Stay informed about the latest enterprise technology news and product updates.

To hell with Microsoft's rule against IE virtualization

Microsoft doesn’t support IE6 virtualization, but some IT shops violate their EULAs to run virtual Internet Explorer because the benefits outweigh the risk.

It has come to my attention that I may be breaking the law. I've been using VMware's ThinApp to run Internet Explorer 6 on Windows 7. Now I'm worried that the Microsoft licensing police might knock on my door and drag me down to the county jail.

Last year, Microsoft sent out a letter explaining to customers its position against using application-virtualization tools for running more than one version of Internet Explorer on a single OS:

Microsoft does not support the use of Microsoft Application Virtualization (App-V) or similar third-party application virtualization products to virtualize IE6 as an "application" enabling multiple versions of Internet Explorer on a single operating system. These unsupported approaches may potentially stop working when customers patch or update the underlying operating system, introducing technical incompatibilities and business continuity issues. In addition, the terms under which Windows and IE6 are licensed do not permit IE6 "application" virtualization. Microsoft supports and licenses IE6 only for use as part of the Windows operating system, not as a standalone application.

I have no problem with the first part of this statement. It's entirely within any vendor's rights to indicate what configurations it will and will not support -- even if such statements ignore customer problems. After all, it's hardly realistic to expect every possible configuration to be supported; not even Microsoft has that level of quality assurance (QA) resources. I do take issue with the final sentence: "Microsoft supports and licenses IE6 only for use as part of the Windows operating system, not as a standalone application."

In some respects, Microsoft is right. IE6 is an intrinsic part of the Windows XP operating system, and it has been since the company tied Internet Explorer to Windows in the 1990s. If you remember, bundling the IE Web browser with Windows got Microsoft in legal hot water with regulatory bodies on both sides of the pond. The company had to prove that removing IE was detrimental to the operating system.

It's that "integration" that makes the abstraction of IE6 tricky. But application virtualization tools from vendors such as VMware and Symantec have cracked that nut and are able to run virtual Internet Explorer, proving that an abstraction is technically possible. Then why did Microsoft make this move? Well, there are a number of reasons.

First, there are indeed security problems bedevilling IE6 that can only be fixed by upgrading it to a new version. So to some extent, Microsoft sent that letter to customers as part of a "CYA" process. By washing its hands of supporting IE6 virtualization, Microsoft is making sure that if something horrible happens to one of your users while using a virtualized version of IE6, it won't be Microsoft's fault. But this position ignores the fact that most application virtualization tools offer ways to control browsing with IE6.

Admins can use application-virtualization software to allow and disallow certain Web functionality to specific apps. So, an administrator can specify that IE6 only functions with an internal portal or Web app that requires it and that all other URLs default to a more modern and secure browser. Of course, not all admins follow security best practices. For that reason, Microsoft probably thinks it is safer not to support the practice at all.

Second, by not supporting IE6 virtualization, Microsoft puts pressure on customers and the wider ecosystem to abandon legacy Web browsers. Given a choice, most customers would love to standardize on a single browser such as IE8. The sad reality is that most large customers simply don’t have this luxury.

For instance, some legacy apps cannot be upgraded to be compatible with a new browser, and when the costs of rewriting those apps are weighed against giving end users access to IE6, it makes the virtualization of IE6 highly attractive.

Microsoft also missed an opportunity in not allowing its own application virtualization offering, App-V, to support IE virtualization. By failing to support and provide QA for it, Microsoft has opened the door to its competitors. The moral of the story: If you fail to support a configuration that's important to your customers, your competitors will find a way to solve your customer’s problems. Microsoft gave its competitors a calling card to its loyal customer base.

So what do I think will happen? The savvy customers who are used to playing hardball with independent software vendors (ISVs) will simply ignore Microsoft’s letter. Early server virtualization adopters faced similar barriers when ISVs simply refused to support server virtualization because it was new, different and something they didn’t have QA resources for.

The irony is that the ISVs that refused to extend support to their paying customers  used server virtualization for their own internal infrastructures. The same goes for licensing policies that prevented end users from moving virtual machines from one physical host to another. Now, live migration is a widely supported and widely used practice.

So, I've got a radical take on the whole issue of restrictions encoded in End-User License Agreements (EULA). If the restrictions aren't enforceable, ignore them. This is precisely what I did with server virtualization, and I will be doing the same with application virtualization.

I recommend to my customers that they look at the security and compatibility issues on an application-by-application basis. Where there are incompatibilities, we will test the Web app against an equally modern Web browser such as Mozilla Firefox or Google Chrome. If those prove to be unreliable or unpredictable, we will allow selective use of IE6, albeit bolted down so it works only with prescribed portals. By doing this, we will be maximizing security but not at the expense of usability.

Read more from Mike Laverick

Mike Laverick (VCP) is an award-winning expert and author who has been involved with the VMware community since 2003. He is a VMware forum moderator and member of the London VMware User Group Steering Committee. Laverick is the owner and author of the virtualization website and blog RTFM Education, where he publishes free guides and utilities aimed at VMware ESX/VirtualCenter users.

Dig Deeper on Application virtualization and streaming

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Why use IE, especially version 6?
This version has been warned against use due to it's insecurity.
IE is inherently the lease secure browser for two reasons.
1. It is embbedded in the OS, therefore a compromise of the browser is a potential compromise of the OS.
2. It has a larger attack surface than other browsers.

So rather than saying "To hell with Microsoft’s rule against IE virtualization", say "To hell with IE" and use a more secure browser and don't break their licencing rules.
Look at what happened with Windows XP, the most widely used Microsoft OS to this day, and probably the Desktop Virtualization OS of choice as well. I have participated in several major desktop refreshes at Fortune 1000 companies last year, and NONE of them upgraded away from Windows XP Professional. When customer needs run contrary to M$ sales revenue or liability concerns, well, you know how that goes. And as far as browser security: integrating a web browser deep into an OS - what genius designed this architecture? Seems like customers have to keep their own interests front & center and do what they think they need to do to make IT serve their business goals.
I worked closely with the guys at Thinstall prior to their acquisition by VMware, and the product being renamed as ThinApp. Because the product effectively virtualises the under-pinning file system it was and I suspect still is quite possible to persuade windows apps, to run on Linux, including IE. While I would never advocate doing this in a production environment, at the time it was nothing more than a neat trick, but I fear that this may have given concern in some parts to this being a threat.

Good luck to you running your IE6 as a ThinApp, if the only concern you have is the EULA then you've made a good job of it :-)
I would think the EU ant-trust lawyers will be very interested in this. Given the following (from the EU anti-trust website)
* For many years, Microsoft has automatically tied its 'Internet Explorer' web browser to its 'Windows' computer operating system.
* The Commission was concerned that – given Microsoft's dominance of the PC operating system market – this deprives consumers of choice and results in fewer innovative products on the market.
* In October 2009, Microsoft offered commitments to remove this barrier to competition. The Commission has now made these commitments legally binding on Microsoft for a period of 5 years.
* From March 2010, Windows users will be able to choose which web browser(s) they want to use on their computer by means of a browser Choice Screen.

I agree about ignoring them, msot of this EULA stuff is complete crap and has no legal basis in most countries.

Many organisations are still using IE6 because web apps were specially tailored to it (MS were going through a "let's creat our own standards" period) and re-writing those is expensive and time consuming. If IE6 had been totally standard compliant, the problem would not exist. So who created it? And now they try to stop us from working around it!

So, I will be forwarding this to:
European Commission
Directorate-General for Competition
For the attention of the Antitrust Registry
1049 Bruxelles/Brussel
IT really needs to get their head examined if they think its still OK to run backlevel, insecure operating systems and browsers in today's security environment. Yes, the lazy, cheap way to do VDI is to keep your ancient legacy apps on the ancient, legacy browser, but its far better to allocate those dollars towards modernizing said backlevel apps!