The next two versions of IE consolidated Microsoft's domination of the browser market. But as the Windows team (now including a number of key IE developers) started work on Longhorn, the browser slipped into a limbo of unambitious maintenance releases. Microsoft stopped putting out independent versions of IE and tied it to new releases of Windows. The Web was no longer the platform.
IE6 was a good browser when it came out in 2001, although IE insiders saw it as a shadow of what it could have been. For the next three years, it received only minor annual updates. The most significant was part of the major security overhaul in Windows XP SP2 that came out in mid-2004 and involved what Aroncheck calls "a complete security revamp for the IE code base." The SP2 version of IE included Group Policy for the first time, and at one point the team considered locking down IE in XP as securely as in Windows Server 2003.
The rest of the now far smaller browser team's time was taken up bringing the browser to different versions of Windows (like Media Center and Tablet PC), including the 64-bit versions of Windows XP plus Windows Server, building a version of IE based on WPF/E and XAML as part of the original Longhorn OS that never shipped, and rolling out hundreds of thousands of custom changes for enterprise customers.
Not only did the Longhorn project focus Microsoft's attention on .Net and XAML rather than HTML as the future, it also sucked the Windows team into a five-year morass of missed deadlines and project resets. What shipped as Windows Vista was a long way from the original code (or the betas that were released in 2003 and 2005) -- it wasn't simply IE falling behind during those years.
Members of the IE team were also busy defending against a lawsuit from Eolas. This one-person company claimed to have created the first browser to support plug-ins in 1993. It patented the idea in 1994 and sued Microsoft in 1999; the case came to court in 2003, when another browser developer, Pei-Yuan Wei, tried to show the Viola browser he had built in 1992. Wei didn't have much time to prepare, and even with World Wide Web inventor Tim Berners-Lee backing Microsoft, the court agreed with Eolas (who went on to sue 22 other companies, including Apple and Google). In 2012, a Texas jury finally invalidated the patents and the U.S. Court of Appeals agreed in 2013. That was too late for Microsoft, which had modified IE to work around the issue in 2006 -- taking more development time away from catching up with competing browsers -- and had settled with Eolas in 2007.
Meanwhile, Microsoft's view of the Internet for consumers was focused on building up MSN to compete with AOL, who still had a significant proportion of online users. Thus, more members of the IE team moved on to work on MSN Explorer. That seems short-sighted, given the rise of the Web, and some at Microsoft found it frustrating. As Partovi put it later, "it has always been sad to see the Internet side [of Microsoft] define itself more based on who it wanted to compete with (Netscape, AOL, Yahoo, and Google) rather than defining its own vision of what it wanted to be."
Resurrecting Firefox from the ashes of Netscape
All this meant IE was effectively in maintenance mode after 2001. And for all the IE team's hard work it would be more than five years before IE7 shipped, two years after Netscape's browser had returned from the dead as Mozilla Firefox.
Strictly speaking, Navigator didn't die; it was bought by AOL. But between the popularity of IE and the increasingly poor performance of the exceptionally buggy Netscape Navigator 6, usage of Netscape was minimal. Netscape had set up the Mozilla open source project before the sale to AOL, and for several years, Netscape incorporated Mozilla code into its browser releases. The dot-com collapse led to major layoffs at AOL in late 2002, and after the $750 million settlement and AOL's 2003 agreement to stick to its contract and carry on distributing IE, the company turned the Mozilla project into the nonprofit Mozilla Foundation with $2 million in seed funding.
Mozilla carried on cleaning up and rewriting the Netscape code, releasing a browser that was called first Phoenix, then Firebird, and finally Firefox. Firefox 1 came out in 2004 with the tabbed browsing and separate search bar that Opera had introduced, and it quickly started gaining market share and adding features. Meanwhile, Apple had released the first beta of Safari in early 2003.
Soon after, arguments about how Web apps should be written turned the long-running disagreements between the W3C and some browser creators into a formal split. Since the end of 2000, the W3C had been working on XForms, which was strongly tied to XHTML. When this was formally proposed in 2003, both Apple and Opera rejected it, calling it not "appropriate for the Web."
In 2004, the Mozilla Foundation and Opera got together to propose new standards for Web applications at the W3C to deal with the "rising threat of single-vendor solutions." When the proposal was voted down, Mozilla's Brendan Eich (the creator of JavaScript), Ian Hickson (then at Opera, having worked at both Netscape and Mozilla, now with Google and famous as the author of the ACID tests), and others "managed to get Apple, Mozilla, and Opera cooperating" to set up the Web Hypertext Application Technology Working Group (WHATWG). WHATWG was a reaction against both the direction and the slow pace of the W3C. The plan was to get a spec out by the end of 2004 -- far faster than the W3C group was moving -- and to build on HTML.
For the next few years, WHATWG was the way the "modern" browsers drove HTML -- and Microsoft wasn't formally involved. Microsoft's Chris Wilson was invited to join in 2006 but declined. Although he mostly agreed with the direction of the group, there were two issues. Especially after the Eolas lawsuit, he felt WHATWG needed to have a patent policy (which the W3C had always had, to make it clear if someone was suggesting using a technology their company had patented) and, because of the thousands of enterprise customers who relied on IE working the way it did, changing the way errors were handled would cause too many problems.
By then, it was clear that XHTML wasn't the future. World Wide Web creator Berners-Lee said it was time to reinvent HTML rather than replace it, and the Fifth HTML Working Group was set up in March 2007, with Wilson as chair.
There was some disagreement as to whether the working group would cooperate with or try to replace WHATWG, so WHATWG continued work. Google got involved, producing first the Google Gears plug-in and, in 2008, the Chrome browser. Gears was authored by the team behind the powerful but insecure Greasemonkey scripting plug-in for Firefox, with features like giving a website your location without asking, which led to Wilson telling the Gears team the plug-in would never ship as default in IE unless they added clear privacy protection.
Having parallel groups working on HTML led to the bizarre situation of WHATWG declaring HTML as a "living standard" that would always be evolving -- right after the W3C working group finalized much of HTML5. That's complicated by the fact that HTML5 is actually a group of hundreds of specifications, all at different stages of maturity. Simplistic test sites (including Hickson's famous ACID tests) can be misleading; the scores they give say more about what the test writers are interested in than about the formal state of the standards.
Web development continues to be a thorny issue because Web standards are always a moving target. When it got back in the browser game, Microsoft took a different approach because of all the existing sites based on how IE6 did things -- and because of its focus on security.
Restarting Internet Explorer for security
From the vulnerability in Universal Plug and Play found soon after Windows XP shipped to viruses to worms like Code Red, SQL Slammer, and Blaster, Windows was starting to look like a security punch bag. In February 2002, the Windows team downed tools and stopped coding for a few weeks while all 8,500 developers went through security training. The results came in Windows Server 2003 and its IIS server, in SQL Server 2003, and in Windows XP SP2, which were all major security improvements.
But rescuing Windows users from the security nightmare also meant rescuing IE. As Windows XP SP2 expanded from the initial quick-fix idea of shipping an update (built by the sustained engineering team that created most service packs) to enable the Windows firewall by default into a year-long major rewrite by the core Windows team. Making IE more secure became a key part of SP2. At the end of XP SP2, Todd Wanke, who ran the XP SP2 effort, commented, "We realize we have a lot of work to do to improve Internet Explorer, and we're just doing everything we can do ensure that we're securing that platform." That project turned into IE7.
A month before XP SP2 shipped, the first post on the new IE blog appeared, written by then product unit manager Dean Hachamovitch. He'd been running sustained engineering for IE and had been pushing to break IE apart from Windows and improve the browser rather than concentrating on custom fixes for enterprise customers.
By October 2004, Hachamovitch was demonstrating prototypes of IE7 to the Microsoft executive team, not long after Wilson came back to IE after his years working on WPF/E. In February 2005, Gates announced IE7 at the RSA conference.
Announcing a new version of IE at a security conference was a clear message that although there were new features (like the search bar Firefox had adopted from Opera) and better CSS support, the first priority was improving browser security. As Hachamovitch put it at the time, the plan was to "go further to defend users from phishing as well as deceptive or malicious software. Why? Because we listened to customers, analysts, and business partners. We heard a clear message: 'Yes, XP SP2 makes the situation better. We want more, sooner. We want security on top of the compatibility and extensibility IE gives us, and we want it on XP. Microsoft, show us your commitment.'"
What they got in IE7 was significant security improvements, such as the first versions of the SmartScreen malware protection, color-coding the address bar to show when you were on a secure site, blocking Active X controls unless you specifically asked for them and running them in a separate process, and locking down browser settings and using protected mode in Windows Vista. That put the browser in a sandbox with fewer rights than a limited user account, so IE -- and any malicious websites you visited -- couldn't write files or registry keys anywhere important.
After a year, Microsoft even stopped checking to see that users had a genuine copy of Windows before letting them download IE7, presumably believing that getting more people onto a more secure version of IE would protect paying customers better than leaving a pool of IE6 on pirated systems. As IE's Rob Franco joked at the time, "My goal with IE7 is to protect the system against the most destructive force in the universe: my brother, who believes that everything on the Internet should be free and will click on anything to get it."
The initial impetus for IE might have been the security problems Microsoft was facing, but Microsoft's own telemetry told it how much of time people were now spending in the browser. By the time IE7 shipped, it was also obviously a response to Firefox. In fact, Firefox vice president Nightingale jokes, "IE7 is one of the releases we're most proud of" because "that release didn't happen the way it did without Firefox and without Microsoft realizing the game was afoot."
Nightingale also gives Microsoft credit for joining in: "Of all things, IE is showing up in standards bodies. Microsoft wants to engage, to win hearts and minds among Web developers. It's really positive to see all browsers recognizing the value of that investment [in standards]."
Developers, developers -- Web developers?
Microsoft dropped the Mac version of IE at the end of 2005 to concentrate on Windows, and IE7 launched in October 2006. It wasn't a one-time fix, either. The plan was to come out with a new browser with better security and slightly better standards support as soon as possible (it took about 18 months in the end) while working on much more support for standards for the next two versions of IE.
"In a sense we're doing a mea culpa, saying we waited too long for a browser release," Gates said at the MIX 06 conference soon before IE7 was released. Hachamovitch was even blunter: "For a lot of people, anything short of an apology, to them, just sounds defensive. So I want to be clear: We messed up. As committed as we are to the browser, we just messed up."
Having a more secure browser would be no use if developers didn't build for it, and that's been the uphill battle Microsoft has faced ever since it let IE6 effectively fossilize. And there was a tension that was evident at the time that has dogged IE to this day.
"We had a very simple goal: We wanted to make every day better for every developer," Hachamovitch said at MIX 06. The point of the MIX conferences was to put Microsoft "in the mix" as a possibility for Web developers to consider -- although it was still pushing IIS and WPF/E as much as HTML, and Silverlight made its first appearance at the conference, demonstrated by Joe Belfiore.
Microsoft was prepared to take its lumps from a frustrated developer community, and the first MIX conference drew half its speakers from the HTML and open Web community. Still, Microsoft needed to strike a balance for developers, users, and enterprises.