14 DAY TRIAL // Microsoft designed Internet Explorer 7 in Windows Vista to function by default in Protect Mode. This is just one of the security mitigations that the Redmond Company has saw fit to introduce in its latest operating system, and in the browser component. Still, added security is always a trade-off with the users' experience. Protect Mode is just such a case, as upgrades and installers deployed to IE7 required browser restart. Microsoft is generally expecting the developing environment to adapt to its products, and not the other way around. Protect Mode presented challenges to extension developers, limiting the code, and as such, Microsoft shipped a new API to resolve restart issues.
"With Protected Mode Internet Explorer, we introduced the idea of elevation policies - a series of registry keys and values that tell Protected Mode how to handle elevation for a specific extension's broker process. Protected Mode normally runs the Internet Explorer process with lower privileges. In general, extensions should operate as low integrity processes. However, some extensions require access to medium or high integrity objects. Because of this, extensions can be configured during installation to run with a higher privilege level by creating an elevation policy that is associated with them in the registry," stated Sharath Udupa, IE Developer.
Udupa explained that, before the introduction of the new API for IE7, there is no correlation between an active browser process and registry alterations. This happens because of the browser running in Protect Mode and separating the process from extension installers handling additional elevation policies. As a direct result of this shortcoming, IE7 has to be restarted in order to assimilate the new policy from the registry.
"As part of the IE June Security Update we shipped yesterday, we've helped reduce the challenges developers faced with elevation policy. Extension developers can now eliminate the need to manually end and restart the IE process to refresh elevation policies whether it is part of an upgrade or an addition to their current installer's elevation policy. By calling the IERefreshElevationPolicy API as part of your extension installer, the need for ending and restarting Internet Explorer is removed," Udupa added.
All developers interested in additional details for the IERefreshElevationPolicy API should refer to the MSDN documentation made available by Microsoft.