Why I Turn Off Protected Mode
Typically, when I build a new Windows Vista machine , one of my first activities (besides turning off the highly irritating User Account Control) is to turn off Protected Mode in IE7. I do this mainly for performance reasons. I don’t have specific metrics around the positive or negative impact Protected Mode may have on my browsing experience. I always assume that more security layers means more processor cycles and perhaps memory and thus lower performance numbers. I wanted to find out he story behind Protected Mode and whether I should keep it enabled or not. (You an enable and disable Protected Mode by clicking the Tools menu then clicking the Security tab. The Protected Mode checkbox is at the bottom of this tab in Vista’s IE7.)
Understanding Vista’s IE Security Model
The official Microsoft description is complicated. The explanation on their blog is highly technical and not much help to someone attempting make an informed decision. Their description on MSDN isn’t much better. I’ll try to sift through the techno-talk here and lay out what I think is going on.
First, Protected Mode is available only on Windows Vista. This is because much of the power needed by Protected Mode is available only through the security subsystem of Vista. If you’re running IE 7 on Windows XP, you’re out of luck.
Second, to understand Protected Mode, we have to better understand Vista’s security model. In Vista, each area of the computer system to which data could be written and from which data could be read is broken down into access groups and require specific access permissions called "Integrity Access Levels" or IL for short. Files and registry keys are called "Securable objects" and default to medium IL. This means that if a process (like a program) doesn’t have a specific permission assigned to it, it is assumed to be run by the user and thus can only write to specific areas of the registry and modify user files located, say, in the user’s Document folder.
Processes (again, these are typically defined as running programs of some sort), have an IL that’s dependent upon where they are run. Applications run from the Start menu have Medium (User) IL. If an application requires Administrative privileges, it runs with High IL which means it can write to (almost) any file and (almost) any area of the registry. Processes with Low IL can only access very limited files and registry keys that are specified by the operating system as Low access (see below). The Low IL specification is considered untrusted.
The bottom line here is that Vista segments areas of your computer system into "protected" and "unprotected." To access the protected areas which typically contain key operating system files, personal user data, program access and the like, a program must have specific permissions from you, the user or from the operating system. So how does this apply to Protected Mode in IE7?
What is Protected Mode?
Protected Mode essentially places all code that runs from IE into the Low IL. When IE7 runs in protected mode, it and programs it runs cannot "gain write access to files and registry keys in a user’s profile or system locations." (source: MSDN). Vista creates specific low IL areas of file system and registry specifically for IE7 including the temporary Internet files folder, the History folder, cookies storage and favorites.
When a program wants to access an area of your computer that is rated higher than Low IL, typically IE will prompt you to ask your permission. Thus, you would give specific rights to the browser to perform an operation in a non-Low IL area. In a very real sense, Protected Mode operates just like User Access Control within Vista in general.
Should You Use Protected Mode?
Protected Mode clearly will provide a high level of protection for most users. The downside to using Protected Mode–and UAC for that matter–is that users will constantly be bombarded with dialog boxes asking for permission things and some processes that safe might be screened as unsafe by the system. At the end of the day, whether an process runs is up to you and it seems like an extra step on your part if you have to give a process permission to access a secure area after you’ve already given it permission to run. The biggest advantage of Protected Mode is that it will block malicious programs that you haven’t specifically told to run.
You might consider Protected Mode to be like a can of mace. If you frequent high-crime, high-violence neighborhoods that pose severe danger to life and property, carrying a mace and keeping your hand on it at all times probably isn’t a bad idea. If you tend to stay in safer areas of town with low crime and low violence, a defensive weapon probably isn’t necessary (even though it might be on a rare occasion). The same is true of Protected Mode. If you browse known sites, do a good job of screening your email, and tend to be very careful about what you allow to run on your computer, Protected Mode will probably end up just being extra baggage that will turn out to be more of an annoyance than a help.
Still, some view the Internet less like a city with good and bad neighborhoods and more like the Wild West. If that’s your view, Protected Mode will be more like your trusty Six-Shooter which you’d want loaded and at your side whenever you step out onto the street.