I was playing around with a little tool chml that allows you to do more with IL than icacls. You can set SACL's on files through SDDL strings whereas icacls only lets you set the level, not the qualifier (NX: No execute, NR: No read, NW: no write). icacls always defaults to NW.

By default the IL level of files is set to medium. This is a somewhat incomplete statement. Protected Mode IE (which is running in Low MIC level) can still open files and load dlls and execute code in those. The only thing it can't do is write to files. So the default IL on files is more accurately set to medium with a no-write-up restriction for lower level processes: read up and execute up is still allowed for Low MIC processes.

Also, from my quick tests it looks like S:(ML;;NWNXNR;;;ME)is the same as S:(ML;;;;;ME). Adding those qualifiers restrict the particular access, while leaving the others open. S:(ML;;NW;;;ME)means that the file is not accessible for writing but still for executing and reading from a low MIC process.