How Internet Explorer Enhanced Protected Mode (EPM) is enabled under different configurations
EPM was first introduced in Internet Explorer 10, which provides the next level of protection to web users via below approaches:
· 64-bit processes
· Leverage the new AppContainer Integrity level in Windows 8 to provide sandboxed HTML5
For more information, please read Understanding Enhanced Protected Mode
When EPM is enabled for a website, you will see “Protected Mode: Enhanced“ in IE’s File->Properties dialog box.
And Process Explorer can show us the bitness and integrity level information of the IE processes. As you can see in the following screenshot, it is possible that the frame (manager) iexplore.exe process launches multiple tab (content) child processes, of different bitness and integrity levels. It is also possible that not 64bit and AppContainer are both enabled, even when IE shows protected mode is “Enhanced” for the webpage. IE goes through several configuration points in order to decide how to enable EPM.
Firstly the traditional protected mode should be enabled for the website. By default protected mode is turned off for the Local Intranet and Trusted Sites zones; but the Internet zone has protected mode enabled. Of cause UAC should not be turned off completely, otherwise protected mode won’t be available.
Secondly desktop IE’s EPM is disabled by default in Internet Options. Desktop IE won’t use EPM, unless you turn it on. More accurately speaking, the original version of IE11 in Windows 8.1 RTM enabled it actually. It should have been turned off, if you have installed the recent IE11 accumulative updates.
I’ll focus on desktop IE in this post.
Next EPM can be disabled per domain. If a website requires an add-on that is incompatible with EPM, you can turn EPM off for the whole domain of that website.
This per domain configuration is located in registry, path HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabProcConfig. As shown in the screenshot below. Each domain is configured by a DWORD value. Different DWORD values have different effects on EPM. The most common value is 0x47b, which means to use 32bit process & load incompatible add-ons. If a domain is given that 0x47b value, you will see protected mode as “On”, not “Enhanced”.
This per domain configuration is also pushed via the iecompatdata.xml files, in the <EPMCompatMode> section.
Finally suppose IE has gone through all the above configuration points and decide to enable EPM for the webpage, it will still need to check the following conditions, in order to decide how EPM should be enabled.
· Is the Windows 8 OS 32bit or 64bit?
64bit process is not available in 32bit OS, so EPM only means the AppContainer IL of sandboxed HTML in 32bit Windows 8.
· Is it IE10 or IE11?
The final decision will be 64bit process + AppContainer IL, if it is IE10.
· However if it is IE11, it will check if “Enable 64-bit processes for Enhanced Protected Mode*” is enabled in Internet Options.
It will be 64bit, only when this feature is checked, otherwise IE will still use a 32bit process.
It’s simplified for IE10 and 11 in Windows 7. The sandbox IL, AppContainer, is not available in Windows 7, hence EPM only makes sense in Windows 7 64bit. In Windows 7 64bit, IE11 doesn’t provide the “Enable 64-bit processes for Enhanced Protected Mode*” feature, for the same reason. All EPM processes are 64bit with the Low IL in Windows 7.
All of the above discussion can be summarized by the following 2 charts.
JunTao Zhu from GBSD DSI Team