Protected mode ON vs Protected mode OFF

[StephaneR]

Hi,

My organization task me with defining Policies for Internet Explorer 7 on
Vista. The goal was to make it even more secure than the defaults provided
by Microsoft. On the other hand, I was a bit more relax on the Intranet side.

One of the feature I would really like to take advantage is the Protected
Mode. By default it's on, but on the Intranet side, I turned it OFF to take
care of some issues around SharePoint (explorer view in SharePoint was not
working). I suspect that there would be more functions/features that would
not work if Protected Mode is ON. This is just an assumption.

A lot of people are complaining because it open a second instance of IE when
changing zones. Now, they want it OFF or ON in all zones so they won't have
to hear people complaining at the Call Center.

I guess I have problem communicating the reason why we should NOT turn it
OFF. Would someone give me some sample exxplanation why we should NOT turn
it OFF and leave it ON on the Internet Zone and OFF in the Intrannet Zone?

My reasons for Intranet zone at OFF is because we would like to make some
script through a web page in our Intranet zone that would query the system
registry, maybe copy files, or execute scripts right from a web page. Do you
see any other advantage to set it to OFF in the Intranet zone? What kind of
stuff would I have problem with if it was set to ON?

Can someone help me?

 

[Victek]

I guess I have problem communicating the reason why we should NOT turn it

OFF. Would someone give me some sample exxplanation why we should NOT
turn
it OFF and leave it ON on the Internet Zone and OFF in the Intrannet Zone?

Here's a good explanation of the benefits of protected mode.

"In Protected Mode, Internet Explorer 7 in Windows Vista cannot modify user
or system files and settings without user consent. Protected Mode requires
the user to confirm any activity that tries to put something on your machine
or start another program. By ensuring the user consents to these kinds of
actions, the likelihood of automated and/or unwanted software installation
is reduced. This feature also makes you aware of what a website is trying to
do, giving you a chance to stop it and take time to double check the
trustworthiness of the website. "

If you're users have admin accounts then protected mode adds significant
security. If they have limited user accounts then I don't know that
protected mode makes as much difference. Perhaps others can comment on
this?

 

[StephaneR]

Thank you Victek. Very much appreciated.

After reading this, why would someone want to turn Protected Mode OFF then?
In the Intranet Zone, turning Protected Mode OFF would give what king of
possibilities? The only one I saw so far was to enable the Explorer view in
SharePoint Shared Documents library. Having Prtoected Mode ON, this
functionnality was broken. I am sure there is more than that.

Anyone had to turn Protected Mode OFF in the Intranet Zone? And why?

Thanks again...

 

[Bill Silvert]

The problem I see with protected mode is that it is so dumb that it becomes
self-defeating. Sure, I want to be warned if a site I am browsing tries to
slip something onto my machine. On the other hand, if I click on a download
link and then have to see a warning message and then click several boxes to
proceed, it gets frustrating and I want to turn off the protection. Would it
be that hard to smarten up IE to know the difference between programs that
are trying to snerak up on me and the files I have asked for?

Bill Silvert

 

[Kerry Brown]

The problem I see with protected mode is that it is so dumb that it
becomes self-defeating. Sure, I want to be warned if a site I am browsing
tries to slip something onto my machine. On the other hand, if I click on
a download link and then have to see a warning message and then click
several boxes to proceed, it gets frustrating and I want to turn off the
protection. Would it be that hard to smarten up IE to know the difference
between programs that are trying to snerak up on me and the files I have
asked for?

I have protected mode on. I don't see several boxes to click on when I try
to download a file. Are you trying to save the download in a protected area?

 

[Bill Silvert]

No, but I am having the same problem even when I turn protected mode off.
The lowest security setting allowed is Medium, which always checks on
downloads.

Bill

PS - I tried to send a personal reply to Kerry, but cannot decode his
address which has too many anti-spam inserts for my humble skills. Apologies
for reposting to the whole list.

----- Original Message -----
From: "Kerry Brown" <[email protected]*a*m>
Newsgroups: microsoft.public.windows.vista.security
Sent: Wednesday, December 12, 2007 4:17 PM
Subject: Re: Protected mode ON vs Protected mode OFF

 

[Kerry Brown]

PS - I tried to send a personal reply to Kerry, but cannot decode his
address which has too many anti-spam inserts for my humble skills.
Apologies for reposting to the whole list.

Try the link in my sig