Between "phishing" expeditions (the spammer technique of sending ostensibly legitimate email that requests personal information to confirm account information, such as credit card and bank accounts), Web-site redirection, and outright browser hijack attempts, reading your email and browsing the Web is fraught with dangers that passive protections such as firewalls can't really stop.
The best protection you can provide your users is to educate them about such dangers and give them pointers for identifying potentially dangerous content. For example, one of the most common phishing techniques provides an official-looking email message with a clickable URL that appears to link to the vendor site. In reality, the apparent URL is merely the text that disguises a link to a site that gathers personal information entered by unsuspecting visitors.
It's best to develop the habit of checking the validity of a link before you click it. If your email client supports it, you can usually mouse-over the suspect link and display its actual URL in the status bar at the bottom of the screen (this also works in Internet Explorer--IE--if the status bar is enabled). Because messages with such embedded links are sent in HTML format, you can also typically right-click the message and select "View Source," which displays the message's HTML source code. With a little effort, you can usually sort out the suspect URL from the morass of HTML tag information.
Determining the actual URL is more difficult when your browser has been redirected; many sites use Web-site redirection for legitimate reasons. If you've ever attempted to send someone a URL only to discover that the URL you sent is actually different from the one you thought you'd sent, or if you've noticed that no matter what link you click on a Web site, the URL in the address bar doesn't change, you've encountered the redirection problem.
To determine the actual URL of the Web page you're currently visiting, type the following JavaScript code in the address bar and click Go:
javascript:alert("Actual URL address: " + location.protocol +
"//" + location.hostname + "/");
Executing this code displays a pop-up dialog box that shows the actual root Web server, regardless of the URL that was displayed previously in the address bar. If this URL doesn't match up with where you think you should be, it's a good indicator that you should pay more attention to what's happening with the browser.
Unfortunately, you can't rely on your software alone to protect you from malicious Internet sites and users. Safe Internet usage means maintaining a level of situational awareness at all times. Running software such as Lavasoft's Ad-aware or Patrick M. Kolla's Spybot Search & Destroy will help keep your computer free of malicious content. However, the first line of protection is making sure your users stay alert about what's actually happening when they browse the Net.