none
'Protected Mode' and 'Run As Administrator' in Internet Explorer RRS feed

  • Question

  • I'm  trying to understand how these two options work together. 

    If 'Run As Administrator' is unchecked on IE shortcut, does Protected Mode in IE Option work or not? 

    If 'Run As Administrator' is checked on IE shortcut, does Protected Mode in IE Option work or not? 

    In my assumption, the Enable Protected mode in in IE internet zone only works when IE process is launched with a standard  user access token the user uses . If IE process is launched from a administrative user token (run as administrator), will this IE Option still work if it's checked and restrict access to securable objects like system files and registries?

    Friday, October 19, 2018 9:07 PM

Answers

  • Found answers 



    “Mandatory integrity control adds another layer of security. In a nutshell, it works like this: each securable object has a label that puts it into one of three categories: low, medium or high security. Each process has a complementary label marking it as untrustworthy, normal or trustworthy. Normal processes can write to objects with the levels medium or low. Untrustworthy processes can only write to low security objects.”

    “MS Mandatory Integrity Control

    Mandatory integrity control adds another layer of security. In a nutshell, it works like this: each securable object has a label that puts it into one of three categories: low, medium or high security. Each process has a complementary label marking it as untrustworthy, normal or trustworthy. Normal processes can write to objects with the levels medium or low. Untrustworthy processes can only write to low security objects.”

    “the following happens when you start protected mode IE:

    IE starts as a medium integrity process.

    “Medium” IE checks for the existence of the “low” versions of its folders. If necessary, it creates them.

    “Medium” IE proceeds to check for the integrity level of its low level folders. If necessary, it sets their IL to low.

    “Medium” IE then launches another instance of itself – but this time as a low IL process.

    Et voilà – protected mode IE finds its environment correctly configured.”



    ref. helecklein- internet explorder protected mode explanation

    “Internet Explorer 7's "Protected Mode" feature uses UAC to run with a 'low' integrity level (a Standard user token has an integrity level of 'medium'; an elevated (Administrator) token has an integrity level of 'high'). As such, it effectively runs in a sandbox, unable to write to most of the system (apart from the Temporary Internet Files folder) without elevating via UAC.[7][20] Since toolbars and ActiveX controls run within the Internet Explorer process, they will run with low privileges as well, and will be severely limited in what damage they can do to the system.[21]”



    ref. Wiki - User Access Control



    • Edited by s.p.han Monday, October 29, 2018 1:39 PM
    • Marked as answer by s.p.han Monday, October 29, 2018 1:39 PM
    Monday, October 29, 2018 1:36 PM