[Freak_NL]

I prefer Firefox Extended Support Release (ESR)¹ for this though. Every year (currently in March) the current normal Firefox version (that does auto-update) is forked for a new ESR support cycle and made available for acceptance. Three months later if all is stable, it replaces the previous ESR release series, and for a year corporate IT gets a browser that will only be updated with critical (security) updates; no new features, no removal of features. At the end of that year the cycle repeats itself, and you can roll out the new ESR series when you've confirmed everything works as it should.

1: https://www.mozilla.org/en-US/firefox/organizations/

[Nux]

Looking at all these "enterprise" horror stories, I don't think ESR's 1 year is nearly enough.

3 or 5 years might be more suitable.

[Freak_NL]

Most of those horror stories won't happen if you go through the upgrade cycle once a year. A year's worth of chances is manageable for whoever is maintaining the software, three or five years worth of browser features will make the heart of any developer sink.

It is a fallacy to believe that you can stave off updating a modern internet connected browser indefinitely; the IE6/7/8 hell has driven that lesson home in the industry, and security updates are a necessity. If you do need to stay with one particular browser version, then you use a virtual machine or some other properly sandboxed environment to offer it. You can keep running IE6 on Windows XP for as long as you like with a VM that thinks its the year 2003 and which for some reason can only reach http://oldunmaintainedapp.legacy.intranet.example.com. That's fine too (although I would hate to maintain that solution).