Your link speaks of a layered defense. Firefox offers far better script security that IE and that right there is a great start.
Care to elaborate?
On #5 in red type it says keep your software up to date. IE has been terrible about fixing exploits in a timely manner in the past.
I don't know if you read the Symantec biannual security reports, but Microsoft's time-to-patch is actually very low, lower than RedHat, Apple, Sun Solaris and HP.
I never suggested that this was the only thing needed for security, but is a piece of the process. Allowing scripts to do whatever they want is just asking for trouble. Quit the name calling.
You used a very misleading generalization, stating that unless he drops IE, he will have this stuff again and again. I'm sorry, but that needs a retraction before I make any apologies for "name-calling." And as a person who's seen plenty of FF-equipped systems successfully infected in the course of my malware research, and is quite familiar with the actual
modus operandi of the bad guys, I don't view FireFox as a security improvement unless you intend to use NoScript, at which point you've had the same option for about 10 years now with IE using the security Zones feature to differentially block scripts and Java on sites you haven't explicitly trusted. :shrug: Use FF to your heart's content, of course, but if you want your system secure, my first recommendation is to run it (and any browser) at non-Admin privilege.
Touching on the
modus operandi,
nbp, one angle of attack used by the bad guys is to plant bogus search results for innocent-sounding stuff like "wood stoves" (and not-so-innocent stuff is often used as bait too, of course), and then tell visitors that they need a Flash Player Update or an ActiveX Object to view the page. And how convenient, they have the necessary download right there in your face... except it's really something else. There are even versions for Mac now. So be skeptical; the IntarWeb is not all safe :tinfoil:
Another angle of attack is attack suites such as IcePack and MPack, which will take a shotgun approach to find vulnerabilities on your system (vulnerable versions of QuickTime Player, Sun Java, Real Player, Flash Player, Adobe Reader, WinZip, WinAmp) that can be reached through your web browser. Antivirus software may detect the exploit, keeping software up-to-date may eliminate the targets, trying to control scripting may preempt the attack... but when everything else has fallen through, using a non-Administrator user account (and optionally an anti-execution layer such as Software Restriction Policy) is a huge final defense. When I was a sysadmin, my fleet racked up something like 400,000 machine-hours without an infection (yes, equipped with Internet Explorer) using the strategy I'm proposing, using non-Admin accounts as the cornerstone. So consider trying that. I know it can be a hassle if you're accustomed to using an Admin account all the time, but consider it.
Tangentially, regarding system lockdown, another option for WinXP systems is
Windows SteadyState, a free download.
