Windows Vista: Limited IE7 Protection Mode

Dennis Faas's picture

"Protected Mode provides the safety of a robust Internet browsing experience while helping prevent hackers from taking over the system and installing programs or deleting your information."

At least, that's what the Windows Vista web site and all the commercials tell you. The problem is, you're not as protected as you thought you were.

According to Microsoft, users with Internet Explorer 7 (IE7) in Windows Vista are better protected from malicious web exploits than users with IE7 in Windows XP -- all thanks to the introduction of Vista's Protected Mode.

With Protected Mode enabled on a Windows Vista machine, a remote attacker can only view files on your computer, not run the malicious code. What they don't tell you is that there are exceptions that can potentially turn Protected Mode off.

Shortly after Microsoft released the first out of cycle emergency patch for the animated cursor flaw in Windows (Microsoft Security Bulletin MS07-017), an article was posted on Microsoft's Internet Explorer blog site detailing the exceptions to Protected Mode.

According to the Internet Explorer blog post, Protected Mode is enabled by default for Internet, Intranet and Restricted zones, but disabled for the Trusted Sites and Local Machine zone.

To enable or disable Protected Mode for a zone navigate to: Internet Options -> Security tab -> Select the appropriate zone -> check / uncheck the "Enable Protected Mode" checkbox.

You can monitor the status of Protected Mode by looking in the bottom right corner of the IE7 status bar. It will display "Protected Mode: On" or "Protected Mode: Off."

This is where the confusion begins. At times you may notice the text in the status bar says "Protected Mode: Off" even when the Internet Options dialog says Protected Mode is enabled. The exceptions that could potentially turn off Protected Mode are as follows:

  • If you turn off User Account Control within Windows Vista, you automatically lose Protected Mode protection. When UAC is disabled, some of the protections which protected mode depends on are not available.
     
  • IE is running with Administrator privileges: Protected Mode is turned off when IE is launched by right clicking on the IE icon and selecting "Run as administrator" or when IE is launched with administrative privileges from another application... this generally occurs when an installer/setup program running with administrator privileges starts a new IE process.
     
  • IE is navigated to a local HTML page: When the page being viewed is a local file, Protected mode is turned OFF since the contents of the page are considered safe. If the page was saved from a zone (for example Internet" which has Protected Mode enabled, then Protected Mode is turned ON.

But, the author of the post saved the best part for last:

"If you visit a page whose zone has Protected Mode enabled and you see the status is "Protected Mode: Off", you will want to close and restart a new instance of IE to visit the page."

;-)

Visit Bill's Links and More for more great tips, just like this one!

Rate this article: 
No votes yet