Because malware can come from malicious ActiveX, JavaScript, Flash, and other scripts, I think D+ should treat web browsers like Internet Explorer, Firefox, and Chrome as untrusted applications. That way, if you go to a malicious website, D+ will alert you about the behavior. Right now, the web browsers have higher privileges because they come from trusted vendors. So, to really protect CIS users, D+ needs to have preconfigured rules for treating web browsers as untrusted applications. GeSWall treats web browsers as untrusted applications. CIS should consider doing the same.
Web browser including IE can be safely treated as trusted applications. For the malware to take over a web browser, it has to modify and access it first. Any malware that tries to modify any other program (including Web Browsers) will be alerted to the user (e.g. inter process memory access, keyloggers, etc).