14 DAY TRIAL // Internet Explorer 7 in Windows Vista runs by default in Protected Mode. In this context, all the IE7 processes in Windows Vista run with extremely restricted privileges, literately isolating the browser from the rest of the operating system. Microsoft has aimed to secure IE, by bulletproofing one of the most common attack vectors on Windows, the browser.
There are a couple of downsides to the Protected Mode equation, and they involve applications that will attempt to write directly to disk while the user surfs an Internet or Intranet zone, or that will not manage correctly new prompts. These are in fact the compatibility issues that Internet Explorer 7 in Protected Mode will generate on Windows Vista.
Users must understand that although IE7 is also available for Windows XP SP2 and Windows Server 2003, Protect Mode is a feature specific to the browser's version on Windows Vista due to the new integrity mechanism featured by the operating system. In Windows Vista processes, files, and registry keys with higher integrity levels cannot be accessed with standard user privileges.
Temporary Internet Files folder, the History folder, the Cookies folder, the Favorites folder, and the Windows Temporary Files folders are all the low-integrity locations that IE7 can access and write to. The browser's Protect Mode also impacts its extensions, that will run as low-integrity processes.
"A compatibility layer handles the needs of many existing extensions. It intercepts attempts to write to medium integrity resources, such as the My Documents folder in the user profile and the HKEY_CURRENT_USER registry hive. The compatibility layer uses a generic Windows compatibility fix to automatically redirect these operations to the following low-integrity locations: %userprofile%LocalSettingsTemporary Internet FilesVirtualized and HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerInternetRegistry," revealed a member of the Enterprise Platforms Support Windows Server Performance team.
Only via two higher privilege broker processes can IE7 perform elevated operations in the context of user approval, the privilege broker IEUser.exe and administrator privilege broker IEInstal.exe. The first permits users to save files anywhere on the hard drive, while the second governs the installation of ActiveX controls.
Eventual compatibility issues can be settled by adding an affected website to the trusted sites list or by turning off Protected Mode altogether.