Hardening servers is usually focused on keeping the bad guys out. But with the recent rapid fire release of serious exploitable problems in IE, server security needs to also include a renewed commitment to keeping administrators from browsing the net with IE. In classes and lecture, I tell people to block port 80 outbound from IIS server either using IPSEC, ICF (for SP1 on Windows Server 2003), or your firewall. Many smaller shops, however, permit admins to browse with IE in order to pull down patches from Windows Update or utilities as required. Keeping to well known sites is a good thing, but there's no assuarance that everyone will be so well behaved that has access to the server.
http://www.theregister.co.uk/2004/11/02/web_security_survey_scansafe/ states
"Internet Explorer exploits posed the fastest growing web security threat to enterprises in the last quarter, according to web security services firm ScanSafe. The top exploit (Exploit.HTML.Mht) was used to attack twice as many businesses as any other web security threat in Q2 2004."
So, tighten up those servers and keep an eye on your client systems. All these problems with client side phishing combined with IE vulnerabilities make web filtering systems a lot more attractive.
-brett
