Windows 7 : Configuring and Troubleshooting Internet Explorer Security - Adding Sites to the Trusted Sites List , Protected Mode

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

1. Adding Sites to the Trusted Sites List

Internet Explorer is configured by default to prevent Internet Web sites from performing many actions that might compromise the computer's security or the user's privacy. However, some legitimate Web sites might need to perform those actions to allow Web applications to run properly.

Administrators can add sites to the Trusted Sites list to grant them additional privileges. To add a site to the Trusted Sites list, follow these steps:

  1. In Internet Explorer, click the Tools menu on the toolbar, and then click Internet Options.

  2. In the Internet Options dialog box, click the Security tab. Click Trusted Sites, and then click Sites.

  3. In the Trusted Sites dialog box, clear the Require Server Verification check box if you access the server using HTTP rather than HTTPS.

  4. In the Add This Website To The Zone box, type the URL of the Web site, such as, and then click Add.

  5. Click Close.

The next time you visit the site, Internet Explorer grants it all the privileges assigned to the Trusted Sites list.

2. Protected Mode

Before Windows Vista, many computers were compromised when Web sites containing malicious code succeeded in abusing the Web browsers of visitors to run code on the client computer. Because any new process spawned by an existing process inherits the privileges of the parent process and the Web browser ran with the user's full privileges, maliciously spawned processes received the same privilege as the user. With the user's elevated privileges, the malicious process could install software and transfer confidential documents.

In Windows Vista and Windows 7, Internet Explorer hopes to reduce this type of risk using a feature called Protected Mode. With Protected Mode (originally introduced with Internet Explorer 7), Internet Explorer 8 runs with very limited privileges on the local computer—even fewer privileges than those that the standard user has in Windows 7. Therefore, even if malicious code on a Web site were to abuse Internet Explorer successfully to spawn a process, that malicious process would have privileges only to access the Temporary Internet Files folder and a few other locations—it would not be able to install software, reconfigure the computer, or read the user's documents.

For example, most users log on to computers running Windows XP with administrative privileges. If a Web site exploits a vulnerability in Windows XP that hasn't been fixed with an update and successfully starts a process to install spyware, the spyware installation process would have full administrator privileges to the local computer. On a computer running Windows 7 the spyware install process would have minimal privileges—even less than those of a standard user—regardless of whether the user was logged on as an administrator.

Protected Mode is a form of defense-in-depth. Protected Mode is a factor only if malicious code successfully compromises the Web browser and runs. In these cases, Protected Mode limits the damage the process can do without the user's permission. Protected Mode is not available when Internet Explorer is installed on Windows XP because it requires several security features unique to Windows Vista and Windows 7.

The sections that follow provide more information about Protected Mode.

How Protected Mode Works

One of the features of Windows 7 that enables Protected Mode is Mandatory Integrity Control (MIC). MIC labels processes, folders, files, and registry keys using one of four integrity access levels (ILs), as shown in Table 1. Internet Explorer runs with a low IL, which means it can access only other low IL resources without the user's permission.

Table 1. Mandatory Integrity Control Levels




System; processes have unlimited access to the computer.


Administrative; processes can install files to the Program Files folder and write to sensitive registry areas like HKEY_LOCAL_MACHINE.


User; processes can create and modify files in the user's Documents folder and write to user-specific areas of the registry, such as HKEY_CURRENT_USER. Most files and folders on a computer have a medium integrity level because any object without a mandatory label has an implied default integrity level of Medium.


Untrusted; processes can write only to low-integrity locations, such as the Temporary Internet Files\Low folder or the HKEY_CURRENT_USER\Software\LowRegistry key.

Low IL resources that Internet Explorer in Protected Mode can access include:

  • The History folder

  • The Cookies folder

  • The Favorites folder

  • The %Userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\ folder

  • The Temporary Files folders

  • The HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry key

How the Protected Mode Compatibility Layer Works

To minimize both the number of privilege elevation requests and the number of compatibility problems, Protected Mode provides a compatibility layer. The Protected Mode Compatibility Layer redirects requests for protected resources to safer locations. For example, any requests for the Documents library are redirected automatically to subfolders contained within the hidden %Userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized folder. The first time that an add-on attempts to write to a protected object, the Protected Mode Compatibility Layer copies the object to a safe location and accesses the copy. All future requests for the same protected file access the copy.

The Protected Mode Compatibility Layer applies only to Internet Explorer add-ons written for versions of Windows prior to Windows Vista because anything written for Windows Vista or Windows 7 would access files natively in the preferred locations.

How to Enable Compatibility Logging

Some Web applications and Internet Explorer add-ons developed for earlier versions of Internet Explorer have compatibility problems when you run them with Internet Explorer 8 and Windows 7. One way to identify the exact compatibility problem is to enable compatibility logging using Group Policy. To enable compatibility logging on your local computer, perform these steps:

  1. Click Start, type gpedit.msc, and then press Enter.

  2. In the Group Policy Object Editor, browse to User Configuration\Administrative Templates\Windows Components\Internet Explorer. If you need to enable compatibility logging for all users on the computer, browse to Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.

  3. Double-click the Turn On Compatibility Logging setting. Select Enabled, and then click OK.

  4. Restart Internet Explorer if it is currently open; otherwise, start it.

With compatibility logging enabled, you should reproduce the problem you are experiencing. You can then view events in the Event Viewer snap-in under Applications And Service Logs\Internet Explorer. Some events, such as Event ID 1037, will not have a description unless you also install the Application Compatibility Toolkit.



For more information about compatibility logging, read "Finding Security Compatibility Issues in Internet Explorer 7," at It applies equally well to Internet Explorer 8.

How to Disable Protected Mode

If you are concerned that Protected Mode is causing problems with a Web application, you can disable it temporarily to test the application. Protected Mode is enabled on a zone-by-zone basis and is disabled by default for Trusted Sites.

To disable Protected Mode, perform these steps:

  1. Open Internet Explorer.

  2. Click the Tools button on the toolbar, and then click Internet Options.

  3. Click the Security tab.

  4. Select the zone for which you want to disable Protected Mode. Then, clear the Enable Protected Mode check box.

  5. Click OK twice.

  6. Restart Internet Explorer.

If the application works when Protected Mode is disabled, the problem is probably related to Protected Mode. In that case, you should re-enable Protected Mode and work with the application developer to solve the problems in the Web application. Alternatively, you could add the site to the Trusted Sites zone, thus permanently disabling Protected Mode for that site.

  •  Windows 7 : Configuring and Troubleshooting Internet Explorer Security - Internet Explorer Add-Ons (part 2) - How to Configure ActiveX Add-Ons
  •  Windows 7 : Configuring and Troubleshooting Internet Explorer Security - Internet Explorer Add-Ons (part 1)
  •  Windows Server 2008 : Using ntdsutil - Seizing an Operations Master Role
  •  Windows Server 2008 : Using ntdsutil - Performing an Authoritative Restore, Removing a Domain Controller from Active Directory
  •  Windows Server 2008 : Using ntdsutil - Moving Active Directory to a Different Drive, Defragmenting Active Directory
  •  Windows Server 2008 : Using ntdsutil - Resetting the Directory Services Restore Mode Password, Changing the Garbage Collection Logging Level
  •  Windows Server 2003 : Deploying Stub Zones - Benefits of Stub Zones, Stub Zone Updates
  •  Windows Server 2003 : Creating Zone Delegations - Delegating Zones
  •  Windows Server 2003 : Configuring Advanced DNS Server Properties (part 2)
  •  Windows Server 2003 : Configuring Advanced DNS Server Properties (part 1)
    Top 10
    Free Mobile And Desktop Apps For Accessing Restricted Websites
    MASERATI QUATTROPORTE; DIESEL : Lure of Italian limos
    TOYOTA CAMRY 2; 2.5 : Camry now more comely
    KIA SORENTO 2.2CRDi : Fuel-sipping slugger
    How To Setup, Password Protect & Encrypt Wireless Internet Connection
    Emulate And Run iPad Apps On Windows, Mac OS X & Linux With iPadian
    Backup & Restore Game Progress From Any Game With SaveGameProgress
    Generate A Facebook Timeline Cover Using A Free App
    New App for Women ‘Remix’ Offers Fashion Advice & Style Tips
    SG50 Ferrari F12berlinetta : Prancing Horse for Lion City's 50th
    - Messages forwarded by Outlook rule go nowhere
    - Create and Deploy Windows 7 Image
    - How do I check to see if my exchange 2003 is an open relay? (not using a open relay tester tool online, but on the console)
    - Creating and using an unencrypted cookie in ASP.NET
    - Directories
    - Poor Performance on Sharepoint 2010 Server
    - SBS 2008 ~ The e-mail alias already exists...
    - Public to Private IP - DNS Changes
    - Send Email from Winform application
    - How to create a .mdb file from ms sql server database.......
    programming4us programming4us