IE7 in Windows Vista: Configuring Your View Source Editor


We’ve noticed a few blog posts asking why IE7 in Windows Vista displays a prompt to launch Notepad. You can see this prompt by right clicking on a webpage and selecting View Source. I want to explain why the prompt is displayed and also tell you how to turn it off.

As you probably already know from previous blog entries, Windows Vista includes an IE security feature called Protected Mode. Protected Mode runs the IE process with lower privileges and also helps protect against malicious webpages that try to automatically pass content to higher privileged applications like Notepad.

Before launching applications like Notepad that weren’t designed to work with low privilege, Protected Mode displays the following prompt to get your permission. This prompt is designed for the worst case security scenario, which is a malicious webpage trying to silently elevate out of Protected Mode by launching an application or reusing one that you’re launching. For example, in the scenario where you select View Source, a malicious webpage could try to silently pass its content to Notepad instead of the webpage’s source code. This could be a dangerous scenario if there was vulnerability in Notepad

IE Security Prompt Dialog

If you only browse to web sites you trust and you don’t want to click through this prompt in the future, you can check the “Do not show me the warning for this program again” box before clicking “Allow”. Checking this box and “Allow” will add the following entry to Protected Mode’s elevation policy:

[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerLow RightsElevationPolicy{9F5511FE-4BB1-474D-B6ED-8877567E7F36}]
“AppPath”=”C:\Windows\System32”
“AppName”=”notepad.exe”
“Policy”=dword:00000003

You can find more details on Protected Mode’s elevation policy in the Protected Mode technical article on MSDN.

If you later decide that you want to see this Protected Mode elevation prompt again for Notepad or any other application you added to Protected Mode’s elevation policy, either delete the registry key mentioned above or click “Reset…” in the Internet Options Advanced tab.

Internet Explorer Advanced Options Tab

If you are looking for a better View Source Editor option than Notepad, install Microsoft Visual Web Developer 2005 Express Edition and add:

C:Program FilesMicrosoft Visual Studio 8Common7IDEVWDExpress.exe

to the following registry key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerView Source EditorEditor Name

IE Registry Editor

Thanks for reading!

Marc Silbey
Program Manager

edit: Correction: If you are looking for a better View Source Editor option, Add: If you later decide that you want to see

Comments (50)

  1. scared says:

    Am I the only one that is scared, that Notepad runs with higher security rights than IE?

    Notepad? OMG!

  2. Biserkov says:

    [Quote]This could be a dangerous scenario if there was vulnerability in Notepad[/Quote]

    Give me a break! Security vulnerability in Notepad?! In our most beloved fast, simple and secure ad hoc text editor. Come on! This is misapplied focus on security.

    And the security message is completely wrong:

    "A website wants to open web content using this program on your computer". It’s not the site, stupid, it’s me, the power user (I understand HTML at least). Can’t IE tell the difference between some malicious site running client-side scripts and the client?!? Am I too naive?

    Is there a reasonable explanation for this situation? I’ m looking forward to hear from you.

    Have a nice day.

  3. Aedrin says:

    "Am I the only one that is scared, that Notepad runs with higher security rights than IE?"

    So they put IE into the lowest priviledge possible. And suddenly it’s a surprise that Notepad has more priviledges than IE (a program that can write/read any file).

    Am I the only one that is scared that all this IE bashing is nothing more than users not having clue?

    ""A website wants to open web content using this program on your computer". It’s not the site, stupid, it’s me, the power user (I understand HTML at least). Can’t IE tell the difference between some malicious site running client-side scripts and the client?!? Am I too naive?"

    Yes. Assuming something is caused by the user, is assuming that the internet is safe.

  4. What I would like to see is never show this again for this site.  So even if I elevate it and have it not tell me again for that site, even if a NG site found a way, I would still need to be asked.

  5. codemastr says:

    Or you can do like almost all Vista users are doing and just disable UAC. That stops this too. I know MS is going to tell you this is "ill advised" or "poor security" but I think for most people, the time savings from turning off UAC more than make up for the potential security risks. I no longer have to click through 8 dialogs just to run an installer… I just run it and it works… it’s crazy!

  6. Jill says:

    Hello;

    What i’m not sure about, is the Reset…button.  Is this the only way to modify the settings?  It seems strange that in order to fix 1 setting, for 1 site, I need to erase every setting for every site I have ever set?

    Would it not be better, if there was a "change settings" button, that was sensitive to the site you were on?

    For example, you are on say eBay.com  you could click the button, and have the choice as to which settings you want to change.

    [_] Allow this site to….

    [_] Allow this site to….

    [_] Allow this site to….

    Where each option is something like the "open  editor (Notepad.exe) to view the HTML source.

    This seems much more straight forward to me

  7. Mark says:

    It is ill-advised to turn off UAC for good reason. This is implemented in every other secure OS as well. If you prefer the "let me do whatever I want to" approach, you are welcome to use the 9x series of OS’s. As for website-specific UAC, this is completely unfeasible. The entire design of a secure OS is that if one component in the chain breaks, the others are still secure. If you want website-specific UAC, then you are defeating the purpose of setting IE’s security to its lowest setting. If a flaw is found in IE and someone manages to control your IE, then said person would just have to send UAC a flag or token saying that it’s from a trust website. In short: you’re just begging for escalation of privilege attacks if you have more than one component managing the rights.

  8. ash says:

    @scared

    "Am I the only one that is scared, that Notepad runs with higher security rights than IE?"

    As the dialog implies, Notepad.exe is not part of IE.  Any attempt to run a program outside of the IE process will cause a security prompt.  You wouldn’t want anything else.  It’s got nothing to do with "higher security rights".

    @Biserkov

    " Can’t IE tell the difference between some malicious site running client-side scripts and the client?!? Am I too naive?"

    No and yes.  

  9. I apologize that this is off-topic, but has there been any word yet on IE Next?  When can we expect it?  What features will it contain?  Will you make it available for Linux?

    (ok, the last one was a joke)

  10. Rogers Place says:

    I also have and use Netscape browser. IE7 is more widely used but the Netscape browser doesn’t have nearly the security issues IE7 has.

  11. IF YOU DONT ALLOW FULL TOOLBAR LAYOUT CUSTOMIZATION AND TOOLBAR BUTTONS CUSTOMIZATION IN THE NEXT IE, I’M OFF TO FIREFOX.

  12. casz says:

    @someone

    who cares about layout and toolbar customizations? IE7 layout is just perfect like this and it’s better than FF.

  13. Ben says:

    Choice comments from a friend:

    grIMacE says ‘Notepad runs at a higher level of security than IE’

    grIMacE says ‘excellent’

    grIMacE says ‘which is the one with the security vulnerabilities again?’

    Facetious remarks aside, Firefox, Safari and Opera all solved this years ago by embedding the source viewer within the application. Was doing something like this for IE7 too much hard work, guys? I mean, rendering fixed width text *is* pretty tough…

  14. george says:

    @casz Wrong! The IE7 layout has been much discussed in this blog and (when it was alive) IE Feedback.  The lack of interface customization is actually a major stumbling block for lots of users.  I too hate the default layout, the missing menu bar, the clutter on the tab row, but I can’t change it.  but like "someone" said, in other browsers, Firefox, Opera, etc. modifying this content is a piece of cake. (well, in Firefox, its even easier, the tab bar, is a tab bar, with no other garbage in the way, and when there is only 1 tab, it nicely tucks itself out of the way, further reducing any wasted space)

    If IE was my favorite browser in v6, IE7 wouldn’t be much to get excited about.

  15. Teamzille.de says:

    Wenn man sich vom IE7 den Quelltext einer Webseite anzeigen lässt, wird dieser standardmäßig im Editor geöffnet. Das ist nicht so schön, denn dieser bietet kein Syntax-Highlighting, was das Lesen eines umfangreichen Quelltextes

  16. casz says:

    @george

    1) IE7 layout is the best because it’s very compact and well organized.

    2) menu bar has been replaced with modern toolbar buttons where you find almost all options from old menu.

    Old menu is also a waste of space.

    IE7 Layout ROCKS.

    Firefox Layout is horrible

  17. Harold B. says:

    It’s sad that these comments always degrade to people arguing about which browser is better. This forum is a place for people to comment on upcoming IE changes. If you prefer Firefox, Safari, or IE, then fine. But, don’t waste space here.

  18. Harold B. says:

    I know this relates more to two previous blog postings, but you’ve closed comments on those. You indicated that the IE HTML Editor Active X control didn’t ship with Windows Vista. My comments on that decision aside (Windows Vista has tons of security for Active X controls now), was there an update to if you are releasing a secuirty patch to remove that for Windows XP?

    It affects Exchange. It affects Lotus Notes. It affects over commercial 100 browser editing controls. I can’t believe you just deleted it because of one Google search, but I do want to know if there is an XP patch coming soon that is removing it.

  19. verui says:

    was there an update to if you are releasing a secuirty patch to remove that for Windows XP?

  20. It is possible to replace the fixed IE7 layout by the Quero toolbar (www.quero.at), I am developing, if you do not like the standard layout.

  21. ADAXL says:

    Why was Notepad not designed to work with low privilege? This produces just another needless UAC popup. People will either disable UAC (not good) or click away all those annoying UAC screens without looking (not good either). It’s the same thing with ol’ Outlook. It always warns you that attachments may be dangerous. Yeah, tell me something I don’t know. This kind of security mechanism is useless.

    Not good, MS!

  22. luc says:

    @ADAXL

    Notepad and all Windows Vista applications run as low privileges because UAC is ON by default.

  23. Taking away customizability from IE and Windows Explorer is one big mistake you guys are making…while the Shell team wont be able to fix it now till Windows vnext, you ppl can fix it i IE8. Please do so. 🙂 Full customizability of toolbar buttons and button order and toolbar(s) layout. Why dont you put a poll on your blog and ask what users feel?

  24. ADAXL says:

    @Luc

    I get your explanation, but the problem remains: UAC gives out totally trivial warnings. I mean, a warning because of Notepad trying to edit a web page? UAC floods users with warnings to a degree where people want to shut it off. Talk about crying wolf.

  25. smeshnoj says:

    Am I the only one that is scared, that Notepad runs with higher security rights than IE?

    Notepad? OMG!

  26. mocax says:

    I’m upgraded XP Pro to Vista Ultimate.

    IE7 will slow to a crawl or crash outright when Protected Mode is On.

    I’ve uninstalled Java and other plugins, but

    IE7 is still sluggish.

    Whenever I try to open a new tab, it’ll take several seconds. And the URL box flashes like crazy.

    The URL box also flashes when I click the drop down arrow.

    Everything works normally if I switch Protected Mode off.

    What’s going on?

    How do I so a clean reinstall of IE7?

  27. cac says:

    @mocax

    make a fresh Vista installation and NOT upgrade from XP

  28. cac says:

    @ADAXL

    if you don’t want to click through this prompt in the future, you can check the “Do not show me the warning for this program again” box before clicking “Allow

  29. mocax says:

    So I’ve to reformat my harddrive so IE7 can run properly in protected mode.

  30. Harold B. says:

    It doesn’t appear the IE Blog team has bothered to read or respond to a single comment so far. What’s the point of allowing blog comments if you’re not going to read them ever?

  31. Tijnemans says:

    @mocax

    Instead of formatting, just first try to disable all plug-ins. maybe there is some ill-working one enabled.

    Go to:

    Start->Accessories->System tools

    and choose:

    Internet Explorer (No Add-ons)

  32. mocax says:

    @Tijnemans

    didn’t work, still sluggish

    It’s got nothing to do with plug-ins

    There’s something wrong with the redraw of the UI

    Switching tabs (even blank ones) takes a few seconds.

    This is what happens when I press ALT key to bring up menu bar http://img181.imageshack.us/img181/4224/clipboard01kp2.jpg

    Takes about 3 seconds to display the menu bar.

  33. A lot of jokes as well as serious criticism has been made about Microsoft’s user access control (UAC) in Vista. The main problem with UAC is caused by applications that are poorly written and expect to run with administrator rights. This has been..

  34. call says:

    @mocax

    use this cleaner: Tools -> Internet Options -> Advanced tab -> Reset button

  35. Mike says:

    Wahoo now that’s April I don’t ever have to test in <a href="http://blogs.msdn.com/ie/archive/2006/11/30/ie6-and-ie7-running-on-a-single-machine.aspx">IE6</a&gt; again!

  36. jeffdav says:

    Jill:

    There are thousands of settings in IE.  Converting each one to be configurable per-site would be expensive from a development point of view.

    Each setting is typically a registry key.  We could build a mechanism to virtualize each setting to support a system where we could store them on a per-site basis.  Then we would need to go find each place in the code where we access the registry (which is cheap and can be done with tools) but then we have to understand how it is being used.  For example, some keys have defaults that are written as part of setup, others have a default in the code if no key exists.  Some are written by the code when it detects that no key exists.  Some keys are read multiple times per browser session, others are read once and cached in memory (for performance reasons).  

    It’s not impossible, just incredibly expensive.  Which is not to say it’s something we wouldn’t do–just something we’d have to weigh very carefully against other work we’d like to do.  For example, in IE7 the Tabbed Browsing work was a big priority for the UX team.

    Luc:

    UAC has three integrity levels, Low, Medium and High.  Apps run in Medium by default, including Windows Explorer (which includes the Start Menu).  New applications launched from other applications, by default, inherit the integrity level of the app that launched them.

    IE runs in Low by default (for certain Zones, such as the Internet Zone).  

  37. IE7 Community IE Addons IE Blog IE-Vista IE7 Support Can’t Save Favorites in Vista’s IE7 (WindowsNow)

  38. mocax says:

    @call

    Reset IE7, didn’t work.

    Is there something in protected mode that affects GUI rendering?

    It also stutters when I resize the window.

    Everything worked smoothly when protected mode is switched off.

  39. zones? huh what? says:

    @jeffdav  regarding your comment about zones I wanted to mention something.

    The "security zones" may have been a good idea, at one point, but ask anyone, about them.. seriously, turn around and ask anyone in your office what zone Google runs in, same for any site/application you care to mention.

    No one knows, because no one uses them.

    If you are using the browser, and you are connected to the Internet, you are in the "Internet" zone, plain and simple, which proves the point that zones are worthless.

  40. I had been noticing that there has been a lot of interest in anything connected to ReadyBoost. A fter

  41. AC says:

    @zones

    I don’t think jeffdav is a good example to ask around the office about zones. I think the IE team in general might at least have an answer about them.

    Also, I think it just proves that zones are worthless to -you- and perhaps the general windows user at large. Therefore, don’t complain when IE does your thinking for you for what they feel the general windows user needs to "be safe".

  42. Aedrin says:

    "The "security zones" may have been a good idea, at one point, but ask anyone, about them.. seriously, turn around and ask anyone in your office what zone Google runs in, same for any site/application you care to mention.

    No one knows, because no one uses them."

    The best security feature is one that you never notice.

  43. clark says:

    "No one knows, because no one uses them."

    Aedrinn: "The best security feature is one that you never notice."

    until an escalation bug is found, then they find out that the zones they were using were a false security blanket…..

    http://www.google.com/search?hl=en&q=IE+zone+escalation&btnG=Search

  44. jeffdav says:

    Ah, yes, Zones.  My personal feeling is, from a purely UI perspective, the experience could be improved.  Google.com is in the Internet zone because it is outside your personal network.  For most home users, everything is outside their personal network, so it would seem this is the only zone that really needs to exist.

    However, IE has to support a huge number of corporate users who actually do have sites that are inside the network and thus in the Intranet zone.  Having the more trusted zone for Intranet applications enables a whole bunch of useful scenarios for things like Sharepoint, as well as lots of custom-built LOB apps that simply host the Webbrowser Control.

    Remember: MSHTML was designed as a platform for applicaiton development.  We can argue about the merits of that historical decision, but the legacy of that decision is that some applications are really just HTML pages running from the local machine.  These days the only things I see built from HTAs are installers and very specific LOB tools.  Much of the Windows team, for example, uses an HTA to compose check-in mail and submit their changes to the source servers.  In order for these HTML applications to be useful, they need even more priviledges.

    Essentially I agree with you.  If all you use IE for is to browse the web, all you need is the Internet zone.  IE enables a lot of things that you may not even realize are IE, though, which requires some sort of tiered security model.  Most users get along just fine ignoring the zones.  

    I would love a world where every setting in IE could be controlled on a per-URL basis instead of lumping URLs into zones, but that is currently impractical (who really wants to manage thousands of settings for every URL they visit?).  

  45. webci says:

    think it is to protect people from viewing really bad source

    When i first saw this on vista I thought it was a joke by a MS programmer..

    http://www.textilefashion.net

  46. Steve says:

    It would be nice to have view source ability inside IE (even if optional). I’m not sure why defaulting to Notepad.exe was seen as a good idea. View Source, and View Source in new tab would be a welcome enhancement in IE next.

    As would the find bar (not an add-in). The workflow I do has to do with a viewsource to find something in particular, and swap back and forth between tabs (OK, using FF as an example).

    Embrace tabs all the way.

  47. Mike says:

    > I also have and use Netscape browser. IE7 is more widely used but the Netscape browser doesn’t have nearly the security issues IE7 has.

    Sure only 18 so far in Firefox 2.x (which came out about the same time as IE7)

    http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox

  48. DarrenBoy says:

    Mike wrote:

    > Sure only 18 so far in Firefox 2.x (which came out about the same time as IE7)

    > http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox

    Or go to Secunia and add up vulnerabilities in all of the advisories so far (some advisories contain multiple vulns).

    IE7 – 11

    FF 2.0 – 27

    http://secunia.com/product/12366/?task=advisories

    http://secunia.com/product/12434/?task=advisories

  49. Sadly, even to this day, Internet Explorer relies on notepad for viewing HTML source code through the

  50. Just as cash loan payday till first american cash advance