Protected Mode for IE7 in Windows Vista - Is it On or Off?

Hi, my name is Sharath Udupa and I’m a developer on the IE team. Many customers have asked us about when Protected Mode feature is turned on or off for Internet Explorer in Windows Vista.The Protected Mode feature is available only in Windows Vista. By default, Protected Mode is enabled for Internet, Intranet and Restricted zones while disabled for the Trusted Sites and Local Machine zone.

To enable or disable Protected Mode for a zone go to: Internet Options > Security tab > Select the appropriate zone> Check/uncheck the “Enable Protected Mode” checkbox. The status of Protected Mode can be monitored by looking at the “Protected Mode: On” text in bottom right corner of the IE status bar. However, at times you may notice the text in the status bar says “Protected Mode: Off” even when the Internet Options dialog says Protected Mode is enabled. There are a few exceptions that could potentially turn off Protected Mode. They are as follows:

• User Account Control (UAC) is disabled – If UAC is disabled, Protected Mode is turned OFF. When UAC is disabled, some of the protections which Protected Mode depends on are not available, for example, UI Privilege Isolation (UIPI) is disabled. Hence, Protected Mode is turned off in this scenario.
• IE is running with Administrator privileges – Protected Mode is turned off when IE is launched by right clicking on the IE icon and selecting “Run as administrator” or when IE is launched with administrative privileges from another application. This generally occurs when an installer/setup program running with administrator privileges starts a new IE process.
• IE is navigated to a local HTML page – When the page being viewed is a local file, Protected Mode is turned OFF since the contents of the page are considered safe. Caveat: If the page was saved from a zone (for example Internet) which has Protected Mode enabled, then Protected Mode is turned ON.

The following flow chart summarizes these exceptions:

It’s always safer to browse with “Protected Mode: On”. If you visit a page whose zone has Protected Mode enabled and you see the status is "Protected Mode: Off", you will want to close and restart a new instance of IE to visit the page. Hopefully, this post gives you a better understanding about when Protected Mode is enabled or disabled. Feel free to let me know if you have more questions on this topic.

-Sharath

edit: Add the word Windows - available only in Windows Vista.

Comments

• Anonymous
  April 04, 2007
  Is this going to be fixed in IE8?!?!?! http://support.microsoft.com/default.aspx?scid=kb;en-us;329156 It is really frustrating, that we have to use a submit button, in order to save values for autocomplete. AFAIK, any call to the native (internal) formObj.submit(); should save the data. Having to "do it yourself" rather kills the whole feature.

• Anonymous
  April 04, 2007
  The comment has been removed

• Anonymous
  April 04, 2007
  @Scott If you post at the Channel 9 thread (http://channel9.msdn.com/Showpost.aspx?postid=288259) with some more details about your problems, the developers who coded up UAC might be able to help you out. In the video, the UAC team explicitly asks everyone to post their UAC issues there.

• Anonymous
  April 04, 2007
  IE7 Community IE Addons IE Blog IE-Vista IE7 Support Can't Save Favorites in Vista's IE7 (WindowsNow)

• Anonymous
  April 04, 2007
  Perfect timing, particularly following the mention of "Protected Mode" in the MSRC Blog post yesterday about MS07-017: Quote: "If you are using Windows Vista, the Internet Explorer 7 protected mode provides additional protections against web-based attacks." Pingback: http://securitygarden.blogspot.com/2007/04/protected-mode-for-ie7-in-windows-vista.html Added to "Windows Vista Bookmarks", Internet Explorer 7 page.  :)

• Anonymous
  April 04, 2007
  If you read the MSRC Blog post update about the Animated Cursor vulnerability, then you would have also

• Anonymous
  April 04, 2007
  Here is an excellent article explains how IE's protected mode may be disabled: http://blogs.msdn.com/ie/archive/2007/04/04/protected-mode-for-ie7-in-windows-vista-is-it-on-or-off.aspx

• Anonymous
  April 04, 2007
  Dont forget to add back the ability to customize toolbars, buttons and their layout in IE8 ;)

• Anonymous
  April 04, 2007
  Thanks for clearing things up. One question: if I turn on Protected Mode in IE7, and use an IE shell (e.g. Avant Browser, Maxthon, etc.), do I have the same level of security as using just IE7 alone with Protected Mode enabled?

• Anonymous
  April 04, 2007
  I suppose the operant theory for turning protected mode off completely is that no protection is better than some?   Just add a third tier of "limited" or somewhat and leave the dang thing on, after all, just because I hate being nagged about simple file operations doesn't make IE any safer, as the recent cursor attack demonstrates.

• Anonymous
  April 04, 2007
  The comment has been removed

• Anonymous
  April 04, 2007
  One of the aggravations I have with protected mode is that if you have a web page and click on a link that would cause IE to open that link in the opposite mode (e.g. going from trusted site to Internet, protected mode off to protected mode on) then IE opens a different instance. If there is already an instance of IE running with that mode, it opens as a new tab. That all sounds fine in principle, except for when you've got your IE home page set to a trusted site and you want to go to, say, www.microsoft.com, and you haven't got any IE windows open. What happens then? You open IE, it goes to your home page with protected mode off. You enter www.microsoft.com and it opens a new IE window. I understand why this is happening but it is really aggravating that IE can't support different settings of protected mode for different tabs within the same IE window. My desktop is cluttered enough as it is without having to have at least two IE windows open.

• Anonymous
  April 04, 2007
  @ Scott Price turn UAC on and don't be stupid!

• Anonymous
  April 04, 2007
  Nice rundown on what is actually entailed in determining "Protected Mode" and clarification on conflicting statuses. Pingback: http://geekinparadise.com/2007/04/05/ie7-blog-covers-ie7-protected-mode-in-vista/

• Anonymous
  April 05, 2007
  I want to know more about Windows Integrity Levels, Please post more info about that. :)

• Anonymous
  April 05, 2007
  The comment has been removed

• Anonymous
  April 05, 2007
  The User Account Control is not only about technology or security, but also about good breeding. As developers

• Anonymous
  April 05, 2007
  The comment has been removed

• Anonymous
  April 05, 2007
  @Michelle -- Security should be job 1 -- I'd rather they work on that before paddings and margins.

• Anonymous
  April 05, 2007
  Una delle caratteristiche più interessanti di Internet Explorer 7 quando gira su Vista, è il funzionamento in modalità protetta: nella pratica, quando si attiva internet explorer 7 su vista, invece che girare con i privilegi dell'

• Anonymous
  April 05, 2007
  @cooperpx Protected Mode is ON by default, because UAC is ON by default. I always used Windows Vista with UAC and I love it, I haven't problems with it.

• Anonymous
  April 05, 2007
  I have this code to open a window, but with IE7 and protected mode it always opens two windows: // First see if the window is already open. win = window.open("",winName,settings); if (win == null) {    alert("Unable to open a new window. Please add your application server to your allowed popups list.");    return; } // Check to see if the window is new if (win.history.length == 0) { win.location = sURL; } win.focus(); This is because the first call always opens with protected mode off, but setting the URL then sets protected mode on. How can I make sure the initial window opens with protected mode on to avoid two windows opening?

• Anonymous
  April 05, 2007
  "IE7 is still not standards compliant...how about fixing that before you do anything else.." Whilst standards support is important, I would ALWAYS welcome security improvements 'before they do anything else'!

• Anonymous
  April 06, 2007
  "all the other browsers which do things correctly." Like 'all other browsers' are so perfect. :P They have their own set of bugs. But I guess it's popular to bash IE.

• Anonymous
  April 06, 2007
  The comment has been removed

• Anonymous
  April 06, 2007
  @cars People don't have "problems" with UAC, they have a degraded user experience with UAC. This post isn't about how to get Protected Mode enabled, it's about showing when Protected Mode gets disabled (for whatever reason). Any third party web browser with RunAs can be done on WinXP with enormous results and nearly no side effects as web pages normally do not bank on the identity of the current Windows Account (IE may because of ActiveX and the ability to run "an application" within it). My impression of Protected Mode was something akin  to this. As Mark posts above, IE pops out of protected mode in a few more instances. This post truely has been an eye opener for me (and no, UAC stays off unless I'm testing Vista compatibility).

• Anonymous
  April 06, 2007
  The comment has been removed

• Anonymous
  April 06, 2007
  The comment has been removed

• Anonymous
  April 06, 2007
  The comment has been removed

• Anonymous
  April 06, 2007
  Hi there, Thanks for the helpful advice, this article has helped me make a lot more sense of what the protected mode is. Josh Chandler www.windowsxphelpfuladvice.blogspot.com

• Anonymous
  April 07, 2007
  The comment has been removed

• Anonymous
  April 07, 2007
  The comment has been removed

• Anonymous
  April 07, 2007
  Can anyone tell me why I can't open any of my RSS Feeds if I have Protected Mode enabled? I have almost fresh windows installation so it's not messy. I tried to disable every single plugin and it didnt work. Do your RSS Feeds work in your IE7 with Protected Mode?

• Anonymous
  April 07, 2007
  RSS Feeds works fine in protected mode

• Anonymous
  April 08, 2007
  I'm logged in as administrator. Can anyone tell me why IE won't load unless I right click on its icon and choose "Run as Administrator" or disable protected mode under Security in Internet Options and then run it?

• Anonymous
  April 08, 2007
  The comment has been removed

• Anonymous
  April 09, 2007
  @Chester Wilson: Chances are good that you're hitting this because the Intranet Zone is disabled on your PC (see http://blogs.msdn.com/ie/archive/2005/12/07/501075.aspx) and hence files from your other machines are being run with Internet Security settings (which causes the prompts).  Reenable the intranet zone manually and this problem will go away.

• Anonymous
  April 10, 2007
  Hello. This is time for another IE7 frustration. Today I was writing some code in VS and had IE7 opened with a set of about 20 pages I somehow found. Then suddenly IE7 just closes itself without any message. After a second my PC started doing something and VS asked if I want to stop debugging and save my files. I answered yes and Visual Stidio closed. Then my computer restarted itself. What's was this? Of cause it was a dumb*** "feature" of Automatic Update. What does it have to do with IE7? It didn't ask me to save ANYTHING! (Unlike any other useful MS application) So tell me please where is the button I should press to restore the pages I was browsing? Answer as soon as you can, because I really need them for the work I'm doing right now and it was really hard to find them.

• Anonymous
  April 10, 2007
  I also found out IE7 wasn't saving my history for about 13 weeks. Why???

• Anonymous
  April 12, 2007
  "What does it have to do with IE7?" Nothing, that's an issue with Automatic Updates if it is what you claim it to be. "because I really need them for the work I'm doing right now and it was really hard to find them." You know, there are things that allow you to save the address of a page, with a title that you can change. It's especially useful for saving pages that were hard to find. They're called bookmarks. "I also found out IE7 wasn't saving my history for about 13 weeks." I'd check your settings. It works fine for me, and everyone else.

• Anonymous
  April 12, 2007
  i think the latest updates for MS security hijacked my default browser again! i thought that this was fixed? (yes, my email client was hijacked again too, but i've given up waiting for microsoft to fix that one.. its only happened like every time for the last twelve times now)  i shouldn't be so impatient in waiting for that fix, it must be very hard to fix and might even need one of those really advanced coding guru things.. i think they are called "IF" statements. myVote++ for fixing the default web Browser & email client hijacking. nic

• Anonymous
  April 12, 2007
  This is what helped in this situation: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ietechcol/dnwebgen/protectedmode.asp which says: “Q: Are there specific locations in the USER PROFILE or HKEY_CURRENT_USER registry location that an extension in Protected Mode Internet Explorer can not write to? A: Yes, Internet Explorer-specific locations in the following USER PROFILE folders. Documents and Settings%USER PROFILE%... ...Local SettingsTemporary Internet Files ...Local SettingsTemp ...Local SettingsHistory ...%USER PROFILE%Favorites ...%USER PROFILE%Cookies Extensions can write to the following locations. Documents and Settings%USER PROFILE%... ...Local SettingsTemporary Internet FilesLow ...Local SettingsTempLow ...Local SettingsHistoryLow ...%USER PROFILE%FavoritesLow ...%USER PROFILE%CookiesLow %USER PROFILE%AppDataLocalLow” So instead of looking for the cookie that had been written in the useridcookies folder we changed our code to look in both useridcookies and then useridcookieslow.  Did not find out how to tell if Protected mode was on but I'm not sure that can be done due to security reasons.  

• Anonymous
  April 12, 2007
  Addition: The following example uses the Protected Mode API to detect the integrity level of Internet Explorer and choose a low integrity write location for a registry setting. We used it in our software development for Vista (at http://www.netvance.at) - the code snippet listed below solves this problem: #include iepmapi.h HRESULT WriteSetting(LPCTSTR pszKey, LPCTSTR pszValue, LPCTSTR pszData) {   BOOL bIsProtected;   HRESULT hr = IEIsProtectedModeProcess(&bIsProtected);   if (SUCCEEDED(hr) && bIsProtected)   {      HKEY hKey;      hr = IEGetWriteableHKCU(&hKey);      if (SUCCEEDED(hr))      {         HKEY hMyKey;         DWORD dwDisposition;         LONG lRes = RegCreateKeyEx(              hKey,         // Low integrity write location              pszKey,       // Specified sub-key              0L,           // Reserved              NULL,         // Class              REG_OPTION_NON_VOLATILE,              KEY_SET_VALUE,              NULL,         // Security Descriptor              &hMyKey,      // NEW or EXISTING key              &dwDisposition);         if (ERROR_SUCCESS == lRes)         {            lRes = RegSetValueEx(hMyKey, pszValue, NULL, REG_SZ,                      (CONST BYTE*)pszData, strlen(pszData) + 1));            hr = HRESULT_FROM_WIN32(lRes);            RegCloseKey(hMyKey);         }         else            hr = HRESULT_FROM_WIN32(lRes);         // Close the low integrity handle         RegCloseKey(hKey);        }   }   else   {      // IE not in protected mode   }   return hr; }

• Anonymous
  April 12, 2007
  @Nicolas You mean the issue with Firefox not being deteted as the default browser which was actually caused by an update by firefox and not by an update of IE ? See: http://www.zoliblog.com/blog/_archives/2007/3/26/2836828.html

• Anonymous
  April 13, 2007
  I am able to load the Applet on all the versions of Windows using IE also on MAC on safarii the applet is getting loaded .But the applet is not getting loaded on Windows Vista.I am using asp.net web application, in that i am calling a applet class . But for windows vista, it says that the class cannot be found. Could u pls suggest me wat might be the problem With Regards Anish

• Anonymous
  April 13, 2007
  the code snippet above looks very similar to something I once used in MSVisualC# 2005Express XMA Games development when the older systems wouldn't recognise some of the entry commands.   Is the Vista IE going to be the only compatible one with Vista of will others such as firefox and Mozilla (Open Source) also work?  If so will they omit the current problems that are being experienced when using IE7?

• Anonymous
  April 16, 2007
  @Nigel Booth: Yes, sure, i think there are more ways to overcome this Internet Explorer vulnerability. No i dont think this will omit the problems with the current version of IE7. For further discussions dont hesitate to contuct me direct via http://www.netvance.at

• Anonymous
  April 17, 2007
  Hi i just upgraded to XP sp2 and noticed all my nice little routines with MSXML2.XMLHTTP that had been working perfectly for the longest time suddenly breakdown when they reach a 'https' page. is there a cure for this? i think i am getting a little depressed. i spent a lot of quality time on this and to see it no longer working because i 'upgraded' my computer doesnt make sense to me. please, IE gurus and experts, help me out here thanks!

• Anonymous
  April 17, 2007
  @Jack: Can you provide a bit more detail on what exactly you're doing?  Do you have a HTTP page that's using XMLHTTP in an attempt to contact a HTTPS site?  Or vice versa?  Can you send a code sample?

• Anonymous
  April 17, 2007
  The comment has been removed

• Anonymous
  April 17, 2007
  Let me preface the following question with a disclaimer: While I like to think I'm more technologically savvy than the general public, some of the above posts have totally lost me, so if anyone replies, please keep that in mind. Here's the question/problem: Can anyone tell me why since upgrading to vista some sites appear instantaneously, whereas others can take up to 5 minutes to appear?  Actually, I don't care why this is happening, I just need it fixed. As some potentially related problems, here are some other funky things that are happening: 1. images not opening on the page 2. when I try to add trusted sites, I've gotten a message that I can only add https, not http. I've already tried all of the troubleshooting tips, on MS, have allowed Dell to commandeer my PC, have had a number of conversations with their tech support, and have monkeyed with almost every setting I can think of (including turning off protected mode (at least I think it's turned off - ha ha).  No really, it's off.  But nothing works.  The only advice I'm being offered now is to restore the PC to original settings.  However, it seems to me that there must be some other option, and that a system restore is just for those of us who can't figure out the solution ourselves.  But I don't want to be that person!  I've already lost countless hours of productivity, and I really can't deal with having to reinstall all my software, etc.  I'm in the middle of a dissertation - someone please help?!

• Anonymous
  April 17, 2007
  and lastly, for the blog owner, i figured out the fix via a registry tweak. relatively painless, whew!

• Anonymous
  April 19, 2007
  http://blogs.msdn.com/ie/archive/2004/07/22/191629.aspx