When Microsoft builds an Operating System (OS), it has to build it to last. Windows XP endured a continuing blast of malware for the last 13 years. In particular, Internet Explorer 6 has seen a lot of vulnerabilities and saw the start of people moving away from Internet Explorer to the likes of Google’s Chrome and Mozilla’s Firefox. Since then, every release of Internet Explorer includes new security enhancements to help keep your colleagues safe as they browse the Internet.
In Windows 8.1, Microsoft gives us a new version of Internet Explorer 11. This gift comes in two packages; a package for The New Interface and a package for the desktop. This is in many ways similar to Internet Explorer 10 in Windows 8, except for one tiny aspect:
Both The New Interface version and the desktop version of Internet Explorer 11 have the Enhanced Protected Mode enabled by default.
About IE Enhanced Protected Mode
Internet Explorer Protected Mode is an extra layer of protection that locks down parts of your system that your browser ordinarily doesn’t need to use. This way, attackers are stopped from installing software or modifying system settings if they manage to run exploit code.
Internet Explorer Enhanced Protected Mode goes beyond Protected Mode, When enabled it will:
- Internet Explorer tabs cannot operate as local web servers
- Internet Explorer tabs with untrusted pages do not have access to intranet locations
- Internet Explorer tabs with untrusted pages do not have access to your colleagues’ domain credentials
- Internet Explorer tabs with untrusted pages are isolated in AppContainers
- Add-ons that are incompatible with Enhanced Protected Mode are not loaded
The Enhanced Protected Mode functionality to start Internet Explorer tab processes as 64bit processes is not enabled by default in Internet Explorer 11 in Windows 8.1. In contrast to earlier versions of Internet Explorer, this has become a separate setting.
The challenge with Enhanced Protected Mode is that your colleagues will no longer be able to use their plug-ins in Internet Explorer 11 in Windows 8.1.
While Adobe’s Flash Player is installed (and updated) by default in Internet Explorer since Internet Explorer 10, this is not the main cause for writing this. It’s Oracle’s Java and Citrix’ Receiver and GoToMeeting plug-ins, among other possible business critical Internet Explorer plug-ins, that should’ve grabbed your attention. Messages like the one below will pop-up from the bottom of Internet Explorer windows throughout your environment after you’ve migrated to Windows 8.1:
The More info link takes you to Microsoft KnowledgeBase Article 2864914 on Enhanced Protected Mode add-on compatibility.
Disabling Enhanced Protected Mode
If your organization relies on Internet Explorer plug-ins, it’s best to disable Enhanced Protected Mode for the desktop version of Internet Explorer 11 in Windows 8.1.
Group Policy Preferences approach
Although the preferred way to manage Internet Explorer settings would be a user-targeted Group Policy Preference, disabling Internet Explorer 11’s Enhanced Protected Mode this way, will pose some challenges:
- To disable Internet Explorer’s Enhanced Protected Mode, the PC on which the colleague works needs to actually reboot. To enable it again for another colleague requires another reboot.
- Windows Server 2012 R2 and Windows 8.1 don’t ship with Group Policy Preferences for Internet Explorer 11. You might have luck with the Internet Explorer 10-based Group Policy Preferences to disable Enhanced Protected Mode, but you won’t have any means to control the 64bit processes setting, which is typical for Internet Explorer 11’s Enhanced Protected Mode.
Group Policy approach
Two Group Policy settings are of particular interest for Enhanced Protected Mode in Internet Explorer. They are bot called Turn on Enhanced Protected Mode. One is located in Computer Configuration, Policies, Administrative Templates, Windows Components, Internet Explorer, Internet Control Panel and finally Advanced Page. The other one is located under the User Configuration portion of a Group Policy Object.
These two Group Policy settings can be used to turn off Enhanced Protected Mode either on a per computer basis or a per user basis, by configuring the relevant setting to Disabled:
As an added bonus, the Enable 64-bit processes for Enhanced Protect Mode are not affected by this setting, either when you configure it as Enabled or Disabled:
As you can see the Enable Enhanced Protected Mode setting is grayed out and a little banner with the text Some settings are managed by your system administrator. is shown at the bottom of the screen.
When you disable Enhanced Protected Mode for specific colleagues, their mileage may vary due to the required restart for managing Enhanced Protected Mode. Using the Group Policy approach for computers works flawlessly.
Default user profile
Another recommendation for changing the Enhanced Protected Mode is configuring it as part of the default user profile.
To disable Enhanced Protected Mode, follow these steps:
- Start Internet Explorer for the desktop.
- Tap or click Tools, and then tap or click Internet options.
- On the Advanced tab, clear the Enable Enhanced Protected Mode check box under Security:
- Tap or click OK.
Next, save the profile to the Netlogon folder on one of your Domain Controllers and make it the default new profile for the (group of) users you want to have Enhanced Protected Mode turned off. This works best, when you want to provide your colleagues with a new profile, anyway.
Alternatively, you can place the website on which you want certain plug-ins or add-ins to work in the trusted sites list. An Internet Explorer Group Policy Preference would be an excellent means to achieve that goal.
Additional safety in Internet Explorer is something every admin would applaud… unless it’s affecting your colleagues’ productivity.
Thanks to Raymond Comvalius for our discussion on the benefits and drawbacks of Internet Explorer Enhanced Security Mode.
Thanks to Anthony Meluso for his Group Policy approach to disabling Enhanced Protected Mode.