When I worked on Internet Explorer, the team was proud of the fact that we could claim to be more aligned with our users’ goals than either of our major competitors (both of whom were funded almost entirely by advertising). IE, the story went, was paid for by users who purchased Windows, and thus our true customers were our users, not advertisers.
Over eight years on the team, there were very few instances where a decision was made that seemed to violate that “Users first, always” mantra (“Suggested Sites” being one noteworthy exception).
I was most proud of the work done around the IE Search Provider APIs, which made it easy for IE users to use the search engine of their choice, even though we knew that users’ choice would often not be Microsoft’s offering.
Last year, I was disappointed to see that Microsoft started removal of the Search Provider APIs, first deprecating them into legacy document modes, and next omitting them from the new Microsoft Edge browser. The result was that users had to follow a convoluted set of steps to add search providers for DuckDuckGo, Google, Wikipedia, etc. As a developer who loved using custom search providers for topic-specific searches on MSDN, StackOverflow, Amazon, and the like, I was really disappointed to see this change. I was only heartened to see this user-hostile change hadn’t been backported to earlier versions of Internet Explorer.
I recently upgraded Windows 10 to build 11082. Upon opening Internet Explorer 11, the following modal dialog box appeared:
I like to think that this dialog would never have shipped in the years I worked on IE. First, and most glaringly, the default option is to hijack the user’s search provider and homepage to Microsoft-owned properties. Next, the dialog box tries to justify this hijacking by implying that IE didn’t previously protect these settings (false) and that “websites” could “silently change” these settings (false). Clicking “Click here to learn more” takes the user to a page (delivered insecurely) which vaguely hand-waves about the threat of local malware, and says nothing about misbehaving websites.
So, if Microsoft is now “protecting” the settings they’ve just changed, how are they doing it?
Let’s have a look at the new version of that Add Search Provider dialog box we saw earlier. See what’s missing?
That’s right—the choice to change your default search engine has been removed. (The option is now buried in a subtab of a subdialog of the Internet Options dialog.)
Ick.
-Eric Lawrence
text/plain 
I must confess the recent IE/Edge changes have not been shining a light on “the good side” of Microsoft. Some of these changes have a smell of the days back when it was a Netscape/IE browser wars world that I’d hoped we have all since moved on from. As for protecting against the “sites” that might alter these properties… yeah this is a thinly veiled note… but to play devil’s advocate, stating it as protecting against that crazy annoying malware that resets these settings in such a brutally annoying way that causes you to boot up in safe mode to kill them… might be a bit long winded for the dialog.
If that dialog had either pre-selected the user’s current settings radio, or did the “try-and-pray” option of not selecting either in hopes that they might choose the Microsoft settings (by choice or accident) then I think it would have slipped through without raising eyebrows much.
Speaking of other apps that attempt to set your homepage, search engine, or anything like that – I think I’d be willing to state that I think removing any OS/Browser API’s that even allow an outside app to alter these would actually be a good thing.
If a user wants to add a homepage, or search engine – as long as it is easy for THEM to do it, from their browser, e.g when viewing the site, I think that is all that is needed. The other ~99.99% of the time when a 3rd party app is setting them… it is often a slimy/evil scenario.
The IE team has previously created a number of APIs to allow local applications to propose changes to your settings (after user consent via a MS-owned UI) like IHomePageSetting; see https://msdn.microsoft.com/en-us/library/dn602565(v=vs.85).aspx. This was done largely in order to declare direct registry manipulation verboten (and thus grounds for blocking as Potentially Unwanted Software by Windows Defender).