Starting with Windows Vista, Protected Mode was added as a new feature in Internet Explorer. This Protected Mode, added an extra layer of protection by locking down parts of your operating system that your browser did not ordinarily need to use, thereby preventing attackers from installing software or modifying system settings if they did manage to run exploit code.
In Windows 8, with Internet Explorer 10, Microsoft has further hardened and enhanced the Protected Mode, by introducing additional restrictions. Metro-style Internet Explorer will run with Enhanced Protected Mode enabled at all times.
Enhanced Protected Mode
Enhanced Protected Mode restricts Internet Explorer access to locations that contain your personal information until you grant permission to it. This helps prevent any exploits code from accessing your personal information without your permission. Let us see what Enhanced Protection Mode or EPM does.
Protects personal files
Consider Web-based email. If you want to attach a file from your Documents folder to the email, then Internet Explorer needs permission to access the file and upload it to your email provider. With Enhanced Protected Mode, a “broker process” will grant Internet Explorer temporary access to the file only if you actually click on “Open” on the file upload dialog. Brokering is done automatically after you choose to open a file. This is like providing a single safe deposit box to Internet Explorer when requested, instead of giving access to the entire safe all of the time.
Restricts access to corporate network resources
Enhanced Protected Mode restricts an exploit’s ability to access corporate network resources in three ways. First, Internet tab processes, which is where untrusted Internet pages load, do not have access to a user’s domain credentials. Second, they cannot operate as local webservers, which makes it more difficult to impersonate an Intranet site. Third, Internet tabs cannot make connections to intranet servers
64-bit processes
IE10 introduces 64-bit processes. Due to 64-bit memory addresses, protection features become more effective than on 32-bit ones, making attacks like the heap spray attacks, which are used by attackers to plant malicious code at predictable locations, become much more difficult.
In Internet Explorer 10 on Windows 7 and Windows Server 2008R2, the only thing that enabling Enhanced Protected Mode does is turn on 64bit Content Processes. But, when running on Windows 8, the EPM option provides even more security by also causing the Content Process to run in a new security sandbox called AppContainer, says a blog post on MSDN.
Metro-style Internet Explorer always runs with Enhanced Protected Mode enabled. You will have to enable it for IE desktop version.
Enable Enhanced Protected Mode in IE Desktop Version
To do so, open Internet Options and under the Advanced tab, browse down to Security. Here check the Enable Enhanced Protected Mode option. Click Apply/OK.
Once you enable Enhanced Protected Mode, incompatible add-ons will be automatically disabled. Moreover, when this option is enabled, all Content Processes that are running in Protected Mode (e.g. Internet Zone and Restricted Zone, by default) will begin to use 64bit Content Processes.
If you visit a website that requires a particular add-on, you will see a message. If you trust the website, you can disable EPM, so that the site can run the control or plugin. So till such a time that all or most plugins are made to run in EPM, you may find the browsing experience, when EPM is enabled, being constrained.
