Stopping Adware and Spyware on Windows w/ Citrix?

SilverDivan asks: "A fairly large non-profit charity organization recently asked me how they can permanently take care of the spyware and adware problem that is plaguing their computing environment. I told them to simply use Mozilla/FireFox, but as it turns out they access outside applications that only run in Internet Explorer. So, I am planning to make a recommendation to publish Internet Explorer on a Citrix Farm, and let the users use the IE published on Citrix instead of the locally installed IE This way they can lock down the IE to their heart's desire. Also publishing IE 'anonymously' on Citrix will further secure the environment, as the anonymous profiles can be deleted on a nightly basis. However one issue with 'anonymous' access to Citrix applications, is that the user can not maintain their preference or even their bookmarks. Another issue is that there is no tracking, and no way to hold someone accountable in case of abuse. Has anyone implemented a similar solution before? What was your experience? Will it work? How can you configure the Citrix environment to best handle a situation like this?"

Re:Remove Microsoft :)

[arkanes]

Sweet holy jesus. Did you actually read anything or do you have a "Use linux" postbot? Win4Lin won't solve any of the problems mentioned, although it would be a lot cheaper than a Citrix farm.

A possibly better alternative would be to secure IE using AD policies (and migrate to AD if they aren't on one), and standardize on Firefox/Mozilla for everything except these specific applications. Use a proxy server if neccesary. You could do this with Citrix also but a Citrix farm is a huge chunk of change and I don't see why you'd want to spend that much just for this.

In fact, a good transparent proxy might be sufficent anyway - simply restrict anything with an IE user-agent to the specific IE only applications required.

Firefox Extension

[KilobyteKnight]

Make them use Firefox with this extension. Then they only use IE for the sites that require it. Those, one would hope, should be reasonably safe.

Re:RTFA

[tlacicer]

Yeah, I know, I read the article. So let them run IE under the Win$lin TS. What is the worst that could happen that particular users windows session needs to be restored. under win4lin that would take all of a couple minutes. And if you did a nightly back up of their bookmarks and userfiles, you could restore them too.

I fail to see the problem here.

Huh?

Tools -> internet options -> Security

For "internet zone", turn off everything, including activeX.

For your "access outside applications that only run in Internet Explorer" but them in the trusted sites, and nothing else.

Install firefox and let them use that for the "intar web".

Please let me know where I can send the bill.

Group Policy

[Chester+K]

Can't they just "lock down IE to their heart's content" via Group Policy? Or perhaps an outbound proxy that only allows access to the specified pages when the user agent is IE's?

Citrix seems like a little overkill for this problem.

all half-assed patches

[passthecrackpipe]

They are all half assed patches. I find, time and time again, that it is better, faster, and cheaper to remove the dependency on IE - like, re-write the app or use a vendor that actually supports decent, secure software.

Citrix?!? Just to run Internet Explorer?!? Absolute rubbish. Fix the real issue instead just doing a half assed patchjob like that. What's wrong with you whippersnappers....

How to resolve with Citrix

[skinfitz]

Quite simple. Firstly you give your users Firefox to stop the spyware problem.

Now, for the external IE only applications, you create them as applications in Citrix and give each an icon on the user's desktop. If the user wants to use one of the external apps, they click the app icon which will launch a Citrix'ified IE window with the app in it. Obviously configure the Citrix IE to remove the address bar.