, which was added in IE7 for Windows Vista, is defense in depth
feature that helps prevent attackers from installing software or modifying system settings if they manage to run exploit code. It is an extra layer of protection that locks down parts of your system that your browser ordinarily doesn’t need to use. For example, your browser doesn’t usually need to modify system settings or write to your Documents folder. Protected Mode is based on the principle of least privilege
-- by reducing the capabilities that Internet Explorer has, the capabilities available to exploit code are reduced as well.
Enhanced Protected Mode
(EPM) takes this concept further by restricting additional capabilities. EPM is a new security feature in Internet Explorer 10 that was introduced in Windows 8
In the upcoming Internet Explorer 10 on Windows 7
and Windows Server 2008R2
, the only thing that enabling Enhanced Protected Mode does is turn on 64bit Content Processes. But, when running on Windows 8
, the EPM option provides even more security by also causing the sandboxed Content Process to run in a new process isolation feature called AppContainer
. AppContainer, introduced by Windows 8, offers more fine-grained security permissions and which blocks Write and Read
Access to most of the system.
Tabs running in Enhanced Protected Mode on Windows 8
run inside an AppContainer. On Windows 7
and Windows Server 2008
R2, AppContainer does not exist, so EPM only enables 64-bit tabs
on a 64-bit OS. (That also means that enabling EPM on a 32bit Windows 7 system doesn’t do anything, because a 32-bit Windows 7 system supports neither 64-bit nor AppContainer).
In Windows 8, Metro-style IE tabs
in the Internet and Restricted Zone
run in Enhanced Protected mode, while tabs in other zones run in 64-bit only. You cannot disable EPM for Metro-style IE except by turning off Protected Mode entirely.
When EPM was introduced in IE10
, AppContainer and 64-bit tabs
(EPM) in 64-bit Windows 8
were turned on by default for Internet Explorer in the Windows UI (Metro), but turned off on the desktop IE to run in the Low Integrity Protected Mode with 32-bit tabs. In IE11
, AppContainer is turned on now by default in both the Windows UI (Metro) IE11 and desktop IE11, so both environments can share cookies, cache, and other data for a better user experience. EPM is not supported in IE11 Preview on Windows 7.
When Enhanced Protected Mode
is enabled, add-ons
such as toolbars, browser helper objects (BHOs), and extensions are loaded only if they are compatible with Enhanced Protected Mode. If you have to load an incompatible add-on, you can turn off Enhanced Protected Mode for the desktop browser. This action lets incompatible add-ons load, but it may increase the risk of having malware or other potentially harmful software installed on your computer.
For more detailed information about Enhanced Protected Mode in Internet Explorer, see:
This tutorial will show you how to turn Enhanced Protected Mode
(EPM) on or off in IE10 and IE11 for your user account in Windows 7
and Windows 8