You want to block all internet access from specific versions of Internet Explorer and Windows, for example, from Internet Explorer 8.0 and Windows XP.
The user-agent string that Internet Explorer (identified as MSIE) uses to represent itself contains several tokens (Tokens are included in user-agent strings and provide specific details about the program making the request. Tokens vary among programs; the tokens in the Internet Explorer user-agent string describe the browser, the operating system, and the current browser mode.) You can create a combined policy condition that looks at both the MSIE version token and platform token in the User-Agent string of user requests. With this type of policy, you can control the Internet access for any workstations that use outdated software.
In this User-Agent string, the Version token is "MSIE 8.0" and Platform token is "Windows NT5.1":
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5)\r\n
The following CPL denies any URL requests if the request if from IE 8.0 on Windows XP:
<Proxy> DENY request.header.User-Agent="MSIE 8.0" request.header.User-Agent="Windows NT 5.1"