UAC and IE Protected Mode?

> Hello,
>
> Yes, there is a difference. When UAC is enabled, IE runs in protected
> mode. This mode is much, much more restrictive than the mode IE runs in
> when running under a standard user account.
>
> When IE is running in protected mode, it cannot save/modify any files on
> your computer (other than temporary internet files), save/modify any
> registry keys (except for certain ones it needs to work), and it cannot
> talk to any other programs on your computer (except for one that is used
> to ask you for permission).
>
> In protected mode, when IE wants out of this "protection box", it has to
> go through the broker program, which asks you for permission before it
> proceeds. In effect, YOU have to know about and approve IE to allow it to
> touch any file, registry key, program, etc. on your computer.
>
> In this scenario, if your IE is taken control of by some rogue program,
> that rogue program will be unable to damage anything except a few IE
> settings, because it will be unable to modify your files/settings/programs
> (unless it asks you for permission and you give it the permission).
>
> When protected mode disabled, IE gets the full power of your user account.
> So in the same situation with protected mode off, a rogue IE will have as
> much access to your computer that you do. If you are running as a standard
> user, then it can access all of your documents and settings that affect
> your user account. If you are an admin, then the rogue IE can do anything
> it wants.
>
>
> --
> - JB
>
> Windows Vista Support Faq
> http://www.jimmah.com/vista/

> Which all brings up an interesting point: is there any way to untie the
> two? Now that the beta is over, I don't want to endure UAC any longer, but
> I was shocked to find that IE's Protected Mode goes along with it,
> something I never expected and which I think is very unfortunate, since
> many people are going to disable UAC yet would never think of disabling
> Protected Mode.
>
> Now, this is where someone comes along and says that it's simple to make
> happen with a policy change or similar.
>
> "Jimmy Brush" <JimmyBrush@discussions.microsoft.com> wrote in message
> news:2C9C28F8-6138-468E-B858-1C4BAAD144A4@microsoft.com...

>> Hello,
>>
>> Yes, there is a difference. When UAC is enabled, IE runs in protected
>> mode. This mode is much, much more restrictive than the mode IE runs in
>> when running under a standard user account.
>>
>> When IE is running in protected mode, it cannot save/modify any files on
>> your computer (other than temporary internet files), save/modify any
>> registry keys (except for certain ones it needs to work), and it cannot
>> talk to any other programs on your computer (except for one that is used
>> to ask you for permission).
>>
>> In protected mode, when IE wants out of this "protection box", it has to
>> go through the broker program, which asks you for permission before it
>> proceeds. In effect, YOU have to know about and approve IE to allow it to
>> touch any file, registry key, program, etc. on your computer.
>>
>> In this scenario, if your IE is taken control of by some rogue program,
>> that rogue program will be unable to damage anything except a few IE
>> settings, because it will be unable to modify your
>> files/settings/programs (unless it asks you for permission and you give
>> it the permission).
>>
>> When protected mode disabled, IE gets the full power of your user
>> account. So in the same situation with protected mode off, a rogue IE
>> will have as much access to your computer that you do. If you are running
>> as a standard user, then it can access all of your documents and settings
>> that affect your user account. If you are an admin, then the rogue IE can
>> do anything it wants.
>>
>>
>> --
>> - JB
>>
>> Windows Vista Support Faq
>> http://www.jimmah.com/vista/

>

> Why on Earth would you disable UAC???? Especially for the typical end
> user. This technology will be the "saving grace" of many enterprises,
> small businesses, etc... I would debate your claim that "many people are
> going to disable UAC." From my standpoint, UAC is the best benefits of
> Vista.
>
> -Ben
>
> ______________
> Ben Miller
> CISSP
> GSEC
> Security+
> "Milhouse Van Houten" <btvs@myrealbox.com> wrote in message
> news:OFneHn3CHHA.3396@TK2MSFTNGP02.phx.gbl...

>> Which all brings up an interesting point: is there any way to untie the
>> two? Now that the beta is over, I don't want to endure UAC any longer,
>> but I was shocked to find that IE's Protected Mode goes along with it,
>> something I never expected and which I think is very unfortunate, since
>> many people are going to disable UAC yet would never think of disabling
>> Protected Mode.
>>
>> Now, this is where someone comes along and says that it's simple to make
>> happen with a policy change or similar.
>>
>> "Jimmy Brush" <JimmyBrush@discussions.microsoft.com> wrote in message
>> news:2C9C28F8-6138-468E-B858-1C4BAAD144A4@microsoft.com...

>>> Hello,
>>>
>>> Yes, there is a difference. When UAC is enabled, IE runs in protected
>>> mode. This mode is much, much more restrictive than the mode IE runs in
>>> when running under a standard user account.
>>>
>>> When IE is running in protected mode, it cannot save/modify any files on
>>> your computer (other than temporary internet files), save/modify any
>>> registry keys (except for certain ones it needs to work), and it cannot
>>> talk to any other programs on your computer (except for one that is used
>>> to ask you for permission).
>>>
>>> In protected mode, when IE wants out of this "protection box", it has to
>>> go through the broker program, which asks you for permission before it
>>> proceeds. In effect, YOU have to know about and approve IE to allow it
>>> to touch any file, registry key, program, etc. on your computer.
>>>
>>> In this scenario, if your IE is taken control of by some rogue program,
>>> that rogue program will be unable to damage anything except a few IE
>>> settings, because it will be unable to modify your
>>> files/settings/programs (unless it asks you for permission and you give
>>> it the permission).
>>>
>>> When protected mode disabled, IE gets the full power of your user
>>> account. So in the same situation with protected mode off, a rogue IE
>>> will have as much access to your computer that you do. If you are
>>> running as a standard user, then it can access all of your documents and
>>> settings that affect your user account. If you are an admin, then the
>>> rogue IE can do anything it wants.
>>>
>>>
>>> --
>>> - JB
>>>
>>> Windows Vista Support Faq
>>> http://www.jimmah.com/vista/

>>

>

>I can only think of two possible reasons for his post. 1) He is a bot
>master and wants to keep people from implementing minimal security. 2)
>Stupidity is the other.
>
> Why can't people understand that UAC is just a technique that has been in
> Unix for decades?
>
> "Ben Miller" <ben@SPAMSUCKSthemillerexperience.com> wrote in message
> news:599BC259-2665-4AC1-97B3-62C9A938E0CA@microsoft.com...

>> Why on Earth would you disable UAC???? Especially for the typical end
>> user. This technology will be the "saving grace" of many enterprises,
>> small businesses, etc... I would debate your claim that "many people are
>> going to disable UAC." From my standpoint, UAC is the best benefits of
>> Vista.
>>
>> -Ben
>>
>> ______________
>> Ben Miller
>> CISSP
>> GSEC
>> Security+
>> "Milhouse Van Houten" <btvs@myrealbox.com> wrote in message
>> news:OFneHn3CHHA.3396@TK2MSFTNGP02.phx.gbl...

>>> Which all brings up an interesting point: is there any way to untie the
>>> two? Now that the beta is over, I don't want to endure UAC any longer,
>>> but I was shocked to find that IE's Protected Mode goes along with it,
>>> something I never expected and which I think is very unfortunate, since
>>> many people are going to disable UAC yet would never think of disabling
>>> Protected Mode.
>>>
>>> Now, this is where someone comes along and says that it's simple to make
>>> happen with a policy change or similar.
>>>
>>> "Jimmy Brush" <JimmyBrush@discussions.microsoft.com> wrote in message
>>> news:2C9C28F8-6138-468E-B858-1C4BAAD144A4@microsoft.com...
>>>> Hello,
>>>>
>>>> Yes, there is a difference. When UAC is enabled, IE runs in protected
>>>> mode. This mode is much, much more restrictive than the mode IE runs in
>>>> when running under a standard user account.
>>>>
>>>> When IE is running in protected mode, it cannot save/modify any files
>>>> on your computer (other than temporary internet files), save/modify any
>>>> registry keys (except for certain ones it needs to work), and it cannot
>>>> talk to any other programs on your computer (except for one that is
>>>> used to ask you for permission).
>>>>
>>>> In protected mode, when IE wants out of this "protection box", it has
>>>> to go through the broker program, which asks you for permission before
>>>> it proceeds. In effect, YOU have to know about and approve IE to allow
>>>> it to touch any file, registry key, program, etc. on your computer.
>>>>
>>>> In this scenario, if your IE is taken control of by some rogue program,
>>>> that rogue program will be unable to damage anything except a few IE
>>>> settings, because it will be unable to modify your
>>>> files/settings/programs (unless it asks you for permission and you give
>>>> it the permission).
>>>>
>>>> When protected mode disabled, IE gets the full power of your user
>>>> account. So in the same situation with protected mode off, a rogue IE
>>>> will have as much access to your computer that you do. If you are
>>>> running as a standard user, then it can access all of your documents
>>>> and settings that affect your user account. If you are an admin, then
>>>> the rogue IE can do anything it wants.
>>>>
>>>>
>>>> --
>>>> - JB
>>>>
>>>> Windows Vista Support Faq
>>>> http://www.jimmah.com/vista/
>>>

>>

>
>

> since many people are
> going to disable UAC

>
>
> "Milhouse Van Houten" wrote:
>

>> since many people are
>> going to disable UAC

>
> only stupid people disables the UAC

> Boy mik, those last two posts were very eloquent. Grow up kid.
>
> -Ben
> ______________
> Ben Miller
> CISSP
> GSEC
> Security+
>
>
> "mik" <mik@discussions.microsoft.com> wrote in message
> news:BCF9EE68-FD6C-479E-99CA-2856B281D23E@microsoft.com...

>>
>>
>> "Milhouse Van Houten" wrote:
>>

>>> since many people are
>>> going to disable UAC

>>
>> only stupid people disables the UAC

>

> Boy mik, those last two posts were very eloquent. Grow up kid.
>
> -Ben
> ______________
> Ben Miller
> CISSP
> GSEC
> Security+
>
>
> "mik" <mik@discussions.microsoft.com> wrote in message
> news:BCF9EE68-FD6C-479E-99CA-2856B281D23E@microsoft.com...

>>
>>
>> "Milhouse Van Houten" wrote:
>>

>>> since many people are
>>> going to disable UAC

>>
>> only stupid people disables the UAC

>