Using Virtual Machines for safe web browsing

This post ( ) has some interesting ideas about the use of Virtual Machines as a software distribution format. It reminded me of something I tried to do last year in the quest for a safer browsing experience.

My experiment: using Virtual Machines for safer web browsing experience

Like many of my colleagues, I play the role of IT staff for my family and friends. After a long and frustrating session of cleaning a friend’s machine from a spyware infection, I decided to explore ways I could prevent her from (1) easily getting infected and (2) mitigating the impact of an infection and (3) still providing her with easy and familiar browsing experience.

So, I created a small VM, installed Windows XP, and tried it myself for several days.  

The results …

General usability problems

  • It’s “clunky” to see two operating systems up. The ideal for the end-user should look perhaps more like a special browser, not an entirely different OS
  • Downloading files in in the VM doesn’t mean its easy or obvious how to access the files from the “real” OS.


  • Your VM can get infected and could be a threat to your “real” machine or other machines in your home network.
  • Instead of a single machine, now one has to be concerned with patching and running AV and getting updated AV signatures on two machines.
  • This doesn’t help with phishing attacks

Licensing & cost

  • Yes, one needs to purchase a separate license for the Windows OS being used on the VM. An Open Source OS with a free license is another alternative (but I believe would be an even more confusing end-user experience.)
  • And one has to account for the cost of running AV on the VM also


  • If you are infected you have to recover using undo disks or copying a safe version of the original virtual hard drive. That’s a lot of end-user pain. The ideal might be some kind of very obvious “reset” button that restores the VM to a completely safe initial state (that of course then has to get the latest patches and AV signatures).

My conclusion

Ultimately, I didn’t consider this a success. I felt the experience would be more confusing to the end-users and it wouldn’t reduce the time that *I* would spend supporting my friends and family. Also, with regard to the phishing attacks, it’s still a very incomplete solution.

There’s probably more to be learned from the the approach of providing small, role-based VMs but it’s going to have to be more seamless, easy-to-manage, and more secure.


Check out this “Browser Appliance”: 



Comments (0)