Windows 7 : Configuring and Troubleshooting Internet Explorer Security - Adding Sites to the Trusted Sites List , Protected Mode

1/4/2014 2:57:36 AM

1. Adding Sites to the Trusted Sites List

Internet Explorer is configured by default to prevent Internet Web sites from performing many actions that might compromise the computer's security or the user's privacy. However, some legitimate Web sites might need to perform those actions to allow Web applications to run properly.

Administrators can add sites to the Trusted Sites list to grant them additional privileges. To add a site to the Trusted Sites list, follow these steps:

  1. In Internet Explorer, click the Tools menu on the toolbar, and then click Internet Options.

  2. In the Internet Options dialog box, click the Security tab. Click Trusted Sites, and then click Sites.

  3. In the Trusted Sites dialog box, clear the Require Server Verification check box if you access the server using HTTP rather than HTTPS.

  4. In the Add This Website To The Zone box, type the URL of the Web site, such as, and then click Add.

  5. Click Close.

The next time you visit the site, Internet Explorer grants it all the privileges assigned to the Trusted Sites list.

2. Protected Mode

Before Windows Vista, many computers were compromised when Web sites containing malicious code succeeded in abusing the Web browsers of visitors to run code on the client computer. Because any new process spawned by an existing process inherits the privileges of the parent process and the Web browser ran with the user's full privileges, maliciously spawned processes received the same privilege as the user. With the user's elevated privileges, the malicious process could install software and transfer confidential documents.

In Windows Vista and Windows 7, Internet Explorer hopes to reduce this type of risk using a feature called Protected Mode. With Protected Mode (originally introduced with Internet Explorer 7), Internet Explorer 8 runs with very limited privileges on the local computer—even fewer privileges than those that the standard user has in Windows 7. Therefore, even if malicious code on a Web site were to abuse Internet Explorer successfully to spawn a process, that malicious process would have privileges only to access the Temporary Internet Files folder and a few other locations—it would not be able to install software, reconfigure the computer, or read the user's documents.

For example, most users log on to computers running Windows XP with administrative privileges. If a Web site exploits a vulnerability in Windows XP that hasn't been fixed with an update and successfully starts a process to install spyware, the spyware installation process would have full administrator privileges to the local computer. On a computer running Windows 7 the spyware install process would have minimal privileges—even less than those of a standard user—regardless of whether the user was logged on as an administrator.

Protected Mode is a form of defense-in-depth. Protected Mode is a factor only if malicious code successfully compromises the Web browser and runs. In these cases, Protected Mode limits the damage the process can do without the user's permission. Protected Mode is not available when Internet Explorer is installed on Windows XP because it requires several security features unique to Windows Vista and Windows 7.

The sections that follow provide more information about Protected Mode.

How Protected Mode Works

One of the features of Windows 7 that enables Protected Mode is Mandatory Integrity Control (MIC). MIC labels processes, folders, files, and registry keys using one of four integrity access levels (ILs), as shown in Table 1. Internet Explorer runs with a low IL, which means it can access only other low IL resources without the user's permission.

Table 1. Mandatory Integrity Control Levels




System; processes have unlimited access to the computer.


Administrative; processes can install files to the Program Files folder and write to sensitive registry areas like HKEY_LOCAL_MACHINE.


User; processes can create and modify files in the user's Documents folder and write to user-specific areas of the registry, such as HKEY_CURRENT_USER. Most files and folders on a computer have a medium integrity level because any object without a mandatory label has an implied default integrity level of Medium.


Untrusted; processes can write only to low-integrity locations, such as the Temporary Internet Files\Low folder or the HKEY_CURRENT_USER\Software\LowRegistry key.

Low IL resources that Internet Explorer in Protected Mode can access include:

  • The History folder

  • The Cookies folder

  • The Favorites folder

  • The %Userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\ folder

  • The Temporary Files folders

  • The HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry key

How the Protected Mode Compatibility Layer Works

To minimize both the number of privilege elevation requests and the number of compatibility problems, Protected Mode provides a compatibility layer. The Protected Mode Compatibility Layer redirects requests for protected resources to safer locations. For example, any requests for the Documents library are redirected automatically to subfolders contained within the hidden %Userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized folder. The first time that an add-on attempts to write to a protected object, the Protected Mode Compatibility Layer copies the object to a safe location and accesses the copy. All future requests for the same protected file access the copy.

The Protected Mode Compatibility Layer applies only to Internet Explorer add-ons written for versions of Windows prior to Windows Vista because anything written for Windows Vista or Windows 7 would access files natively in the preferred locations.

How to Enable Compatibility Logging

Some Web applications and Internet Explorer add-ons developed for earlier versions of Internet Explorer have compatibility problems when you run them with Internet Explorer 8 and Windows 7. One way to identify the exact compatibility problem is to enable compatibility logging using Group Policy. To enable compatibility logging on your local computer, perform these steps:

  1. Click Start, type gpedit.msc, and then press Enter.

  2. In the Group Policy Object Editor, browse to User Configuration\Administrative Templates\Windows Components\Internet Explorer. If you need to enable compatibility logging for all users on the computer, browse to Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.

  3. Double-click the Turn On Compatibility Logging setting. Select Enabled, and then click OK.

  4. Restart Internet Explorer if it is currently open; otherwise, start it.

With compatibility logging enabled, you should reproduce the problem you are experiencing. You can then view events in the Event Viewer snap-in under Applications And Service Logs\Internet Explorer. Some events, such as Event ID 1037, will not have a description unless you also install the Application Compatibility Toolkit.



For more information about compatibility logging, read "Finding Security Compatibility Issues in Internet Explorer 7," at It applies equally well to Internet Explorer 8.

How to Disable Protected Mode

If you are concerned that Protected Mode is causing problems with a Web application, you can disable it temporarily to test the application. Protected Mode is enabled on a zone-by-zone basis and is disabled by default for Trusted Sites.

To disable Protected Mode, perform these steps:

  1. Open Internet Explorer.

  2. Click the Tools button on the toolbar, and then click Internet Options.

  3. Click the Security tab.

  4. Select the zone for which you want to disable Protected Mode. Then, clear the Enable Protected Mode check box.

  5. Click OK twice.

  6. Restart Internet Explorer.

If the application works when Protected Mode is disabled, the problem is probably related to Protected Mode. In that case, you should re-enable Protected Mode and work with the application developer to solve the problems in the Web application. Alternatively, you could add the site to the Trusted Sites zone, thus permanently disabling Protected Mode for that site.

  •  Windows 7 : Configuring and Troubleshooting Internet Explorer Security - Internet Explorer Add-Ons (part 2) - How to Configure ActiveX Add-Ons
  •  Windows 7 : Configuring and Troubleshooting Internet Explorer Security - Internet Explorer Add-Ons (part 1)
  •  Windows Server 2008 : Using ntdsutil - Seizing an Operations Master Role
  •  Windows Server 2008 : Using ntdsutil - Performing an Authoritative Restore, Removing a Domain Controller from Active Directory
  •  Windows Server 2008 : Using ntdsutil - Moving Active Directory to a Different Drive, Defragmenting Active Directory
  •  Windows Server 2008 : Using ntdsutil - Resetting the Directory Services Restore Mode Password, Changing the Garbage Collection Logging Level
  •  Windows Server 2003 : Deploying Stub Zones - Benefits of Stub Zones, Stub Zone Updates
  •  Windows Server 2003 : Creating Zone Delegations - Delegating Zones
  •  Windows Server 2003 : Configuring Advanced DNS Server Properties (part 2)
  •  Windows Server 2003 : Configuring Advanced DNS Server Properties (part 1)
    Most View
    Spring Is Here (Part 2)
    Is 802.11ac Worth Adopting?
    BlackBerry Z10 - A Touchscreen-Based Smartphone (Part 1)
    LG Intuition Review - Skirts The Line Between Smartphone And Tablet (Part 5)
    Fujifilm X-E1 - A Retro Camera That Inspires (Part 4)
    My SQL : Replication for High Availability - Procedures (part 6) - Slave Promotion - A revised method for promoting a slave
    10 Contenders For The 'Ultimate Protector' Crown (Part 3) : Eset Smart Security 6, Kaspersky Internet Security 2013, Zonealarm Internet Security 2013
    HTC Desire C - Does It Have Anything Good?
    Windows Phone 7 : Understanding Matrix Transformations (part 2) - Applying Multiple Transformations
    How To Lock Windows By Image Password
    - First look: Apple Watch

    - 10 Amazing Tools You Should Be Using with Dropbox
    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
    Popular Tags
    Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
    Top 10
    OPEL MERIVA : Making a grand entrance
    FORD MONDEO 2.0 ECOBOOST : Modern Mondeo
    BMW 650i COUPE : Sexy retooling of BMW's 6-series
    BMW 120d; M135i - Finely tuned
    PHP Tutorials : Storing Images in MySQL with PHP (part 2) - Creating the HTML, Inserting the Image into MySQL
    PHP Tutorials : Storing Images in MySQL with PHP (part 1) - Why store binary files in MySQL using PHP?
    Java Tutorials : Nested For Loop (part 2) - Program to create a Two-Dimensional Array
    Java Tutorials : Nested For Loop (part 1)
    C# Tutorial: Reading and Writing XML Files (part 2) - Reading XML Files
    C# Tutorial: Reading and Writing XML Files (part 1) - Writing XML Files