SSL VPN and a Dedicated Web Browser

Given XSS and other vulnerabilities inherent in today's web browsers, many folk regard web browsers as the dirty public restrooms of today's personal computers. I was recently talking with someone about the potential for how this could POSSIBLY harm an enterprise that relies on SSL VPN.

Some of you might be familiar with my advocacy of using two or more separate web browsers. Though, with browsers such as Chrome and IE8 that spawn separate processes per tab, compartmentalization within web browsers is improving. But, I've not yet reached the point where I would steer folk away from the multiple browser approach. ... I digressed.

One more scope clarification: in this thought exercise, let's pretend the rest of the PC is clean (e.g., keyloggers, etc.).

So, how can an enterprise reduce its risks from SSL VPN and dirty web browsers? One partial answer: a dedicated web browser. One can lock down a web browser such that it can visit no other IP address other than the SSL VPN. This minimizes risks from the little nasties within a web browser. Let's not bother with the limitations and mechanisms of locking down the browser right now.

But, how does the SSL VPN server itself discriminate between the dedicated web browser prescribed for this use versus any other web browser? Web browsers self-identify themselves. This is far too easy to spoof. And besides, how would one know this prescribed browser (e.g., Firefox) from a browser that has not been locked down (e.g., Firefox from a home PC)?

Well, if any of you have one or more top-of-mind perspectives, ideas, or recommendations, I'm interested in reading them.

Cheers,

Eirik