IE 7 will run only on Windows XP Service Pack 2 (SP2) when it releases in beta form shortly, Microsoft IE program manager Chris Wilson wrote on the Internet Explorer Weblog. One reason: "some of the security work in IE7 relies on operating system functionality in XPSP2 that is non-trivial to port back to Windows 2000," Wilson wrote.
Although Microsoft has disclosed relatively few details about IE 7, not long after Bill Gates announced the update at the RSA Conference in mid-February, other Microsoft officials said that the new browser might also support Windows 2000.
"We're actively listening to our major Windows 2000 customers about what they want and comparing that to the engineering and logistical complexity of that work," IE team leader Dean Hachamovitch said in February on the same IE blog.
As late as March, Microsoft was still playing coy about possible Windows 2000 support for IE 7. "We have heard the requests for support of Windows 2000, but have nothing to announce at this time," the company said then.
The door is officially shut now, said Wilson, both because of IE 7's reliance on XP SP2, and because Windows 2000 of "where we are in the Windows 2000 lifecycle."
Windows 2000 is slated to move from what Microsoft calls "mainstream" support to the less functional "extended" support at the end of June.
"It should be no surprise that we do not plan on releasing IE7 for Windows 2000," concluded Wilson.
He's right, at least by some analysts' reasoning. As long as late 2004, nearly 10 weeks before Gates announced IE 7, a pair of analysts at Gartner said there was no chance that Microsoft would deliver the kind of security enhancements it put into Windows XP SP2 for the Windows 2000 platform. "If you're interested in the security improvements [in Windows XP SP2], plan to move to [Windows XP SP2]," Michael Silver and Neil MacDonald said. "Windows 2000 won't see those improvements."
Another analyst, however, remains upset, but not over IE 7.
"I don't understand the outrage over IE 7," said Michael Cherry, an analyst with the Redmond, Wash.-based Directions on Microsoft. "From what I can tell, the changes to IE don't fix a specific flaw, but are design changes. That may be a matter of semantics to some, but Microsoft's made this distinction a number of times before." In other words, said Cherry, users shouldn't be shocked that Microsoft's taken that tack again.
"I'm outraged, too, but not over IE 7. A bigger problem, in my opinion, is the whole definition of 'mainstream support.' There are fixes to XP [in SP2] to the underlying architecture of RPC and DCOM to make them more secure, but Microsoft's not backporting these to Windows 2000. They're not even providing a final service pack for Windows 2000."
In November 2004, Microsoft revealed that it had dropped the idea of a fifth service pack for Windows 2000, which remains a "major" operating system in enterprises, according to Cherry. Instead, Microsoft said a "security roll-up" of SP4 would be the final update. That roll-up has yet to be delivered.
The problem, said Cherry, is that most users read far more into "mainstream support" than Microsoft actually delivers. "Nothing's guaranteed in mainstream support except that Microsoft promises to 'consider' non-security changes," said Cherry. "It's under no obligation to actually make those changes. In 'extended support' they're just not required to consider changes."
That leads to ever-increasing pressure on the part of Microsoft to convince customers to update, but leaves aging operating systems less than secure. "Microsoft would, of course, prefer that everyone use the most current operating system," said Cherry, "but look at how things are going moving forward. Windows XP doesn't support the concept of 'least privilege,' where users are, by default, not registered as administrators. Microsoft says that's for Longhorn. In other words, Microsoft is never going to fix that in Windows XP."