Understanding Protected Mode (non-enhanced)
To provide continuous protection while you’re using the web,
Internet Explorer provides Protected Mode. Internet Explorer 10
includes a number of updates to Protected Mode.
In many organizations, employees continue to sign in to local
computers using accounts that have far more privileges than are
necessary to accomplish their work. Specifically, a great number of
people have administrator access to their local desktop computers,
although their rights are generally more restricted at the domain
level. Because programs launched with the user’s sign-in have the same
rights as the user account itself, this can create a significant attack
vector by which malware can be introduced onto the computer.
This is when Protected
Mode becomes useful. Rather than running under the context of the
user’s full set of privileges, Internet Explorer operates with a very
limited set of privileges. As a result, if someone browses to a website
that attempts to deploy malicious code, the attack attempt would be
limited to just a few areas of the system, none of them critical. Such
malicious code would not have sufficient rights to perform software
installations, access personal files, or perform other damaging
operations.
Protected Mode operates based on the concept of integrity
levels. Windows 8 is composed of securable objects, which include
files, folders, and registry keys. Every securable object in Windows 8
has its own integrity level. The list of available integrity levels is
shown in Table 1.
Table 1. Integrity levels
|
Integrity Level |
Rights |
|---|
|
High |
An administrative integrity level. Processes with this integrity
level can install files to the Program Files folder and write to
restricted areas of the system registry. |
|
Medium |
A user integrity level. Processes with this integrity level can
interact with user areas of the registry (HKEY_CURRENT_USER) and the
user’s documents folder. |
|
Low |
An untrusted integrity level. Processes with this integrity level
can write to low-integrity locations only, including Temporary Internet
Files\Low and low-integrity registry areas
(HKEY_CURRENT_USER\Software\LowRegistry key). |
When Internet Explorer is running with Protected Mode enabled, it is operating at a low
integrity level, limiting it to the low-integrity areas of the system.
This prevents an errant Internet Explorer process from accessing
sensitive areas of the system and restricts the damage it can do.
Windows 8 and Internet Explorer 10 introduce AppContainer,
a new process-isolation mechanism that takes the Protected Mode feature
found in earlier versions of Internet Explorer to the next level by
blocking even more areas of the system from both read and write
activities initiated by Internet Explorer, including a user’s personal
files and certain network locations. All Windows 8 native apps use
AppContainer to help protect the system.
Because Protected Mode restricts access to so many parts of the
system, it follows that there would be significant compatibility issues
with some websites, and users would face a multitude of user account
control (UAC) elevation requests during which the operating system
requests user permission to perform a potentially dangerous
administrative function. However, this is not the case. When a user
browses to a location that contains code requesting access to an area
of the system protected by Protected Mode, by virtue of the Protected Mode Compatibility Layer the request is silently redirected to a safe, supported location.
Although Protected Mode remains an important tool in the security
arsenal, it does have the potential to disrupt productivity. Therefore,
it’s possible for you to disable this security feature on a
zone-by-zone basis. For example, you might want to keep Protected Mode
enabled for Internet sites but disable it for intranet-based sites so
that users can run older intranet applications that might have
compatibility issues with newer browsers. In addition, as a
troubleshooting step when a user is having difficulty with a particular
website, you might find it necessary to disable Protected Mode.
To disable Protected Mode for a zone, complete the following steps:
-
From Internet Explorer for the desktop, open Tools and select
Internet Options. If the Tools menu isn’t visible, press Alt+T on the
keyboard.
-
Select the Security tab.
-
Choose the zone for which you’d like to disable Protected Mode (Figure 2).
-
Clear the check box next to Enable Protected Mode.
-
Click OK until you’re back at a browser window.
-
Restart Internet Explorer.
