Enhanced Protected Mode and Local Files

Ordinarily, Internet Explorer loads local HTML files in the Local Machine Zone. Locally-loaded HTML files are subject to the Local Machine Lockdown feature which prevents pages from running active content like JavaScript or ActiveX controls, showing the following notification:

image

In order to avoid this lockdown, many local HTML pages will contain a Mark-of-the-Web (MOTW) which instructs Internet Explorer to load the content using the security permissions of a different zone, typically, the Internet Zone. There are several ways to assign a MOTW:

  1. A comment inside HTML markup
  2. Using an NTFS Alternate Data Stream named Zone.Identifier
  3. A Low Integrity Label in the permissions on the file
  4. Loading the file from the Temporary Internet Files folder

Internet Explorer itself uses each of these methods in different circumstances, but most developers who are designing HTML to load from local locations will use the HTML comment format, by adding one line to their markup:

<!doctype html>
<!-- saved from url=(0014)about:internet -->
<html><head>...

When Internet Explorer encounters this comment, it maps the current document into the Internet Zone, and it runs with the permissions of an Internet-based document so JavaScript and ActiveX controls may run with appropriate limits (if permitted by your Internet Zone settings).

However, putting local content into the Internet Zone has one very important consequence in Windows 8. The Internet Zone runs in Enhanced Protected Mode (EPM) in Metro-style IE and optionally in Desktop IE. One of the key strengths of the AppContainer isolation mechanism upon which EPM relies is that AppContainers do not permit “Read up” access. That means that content running in AppContainer doesn’t have direct read access to most areas on your hard drive; attempting to open a file in an AppContainer will result in an Access Denied error. (In contrast, the IE7-IE9 Protected Mode feature allowed “Read up” access, only writes were forbidden.)

When Internet Explorer is instructed to load the local HTML page above, it first assumes that the content will be in the Local Machine Zone and begins reading the content in a process which is running at Medium Integrity outside of AppContainer. When it encounters the MOTW, it realizes that the content should be loaded in EPM, so it launches an EPM process to take over the loading of the content. The EPM process is now “stuck”—it doesn’t have access to the local file, because the AppContainer forbids reading of the file. The solution to this conundrum is pretty simple—when Internet Explorer’s EPM encounters an Access Denied error on a local file, it asks IE’s broker process (running at Medium) to see whether that local file has a MOTW. If so, the broker process provides read access to the file, enabling the restricted process to read it. If no MOTW is found, then the read is denied and the browser will not render the content.

Now, where this gets tricky is when a page refers to other resources, called “subdownloads.” For instance, consider the following markup:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0022)https://127.0.0.1:8088/ -->
<HTML><HEAD><META http-equiv="Content-Type" content="text/html; charset=windows-1252">
</HEAD>
<BODY>This page contains several image files loaded from the same path:<BR>
<PRE>
GIF: <IMG src="1.gif"> <br />
PNG: <IMG src="2.png"> <br />
JPG: <IMG src="3.jpg"> <br />

<DIV id="divTime"></DIV>
<SCRIPT>
setInterval('document.getElementById("divTime").innerText = new Date();', 1000);
</SCRIPT>
</PRE></BODY></HTML>

The page refers to three image files in the same folder as the parent markup. If these files do not have a MOTW applied to them, a local page running inside EPM will not be able to load them:

image

(Note: my screenshots are from Desktop IE because I’ve enabled Enhanced Protected Mode in Desktop IE using the Tools > Internet Options > Advanced > Security checkbox. EPM is enabled by default for Metro-style IE.)

You can determine whether or not a file has a MOTW by using icacls.exe to check for a Low Mandatory Level label, or by using streams.exeto check for a NTFS Alternate Data Stream named Zone.Identifier. By default, neither will be present:

image

After we use icacls.exe to apply a Low Integrity label to files #1 and #3, and you can see the difference:

image

Now, let’s apply a MOTW to 2.png using an Alternate Data Stream:

image

 

Now all three images are visible:

image

As you can see, both the Alternate Data Stream and the Low Integrity Label can be used to mark the content as accessible from an Enhanced Protected Mode process. However, these methods can be cumbersome to apply manually, so we’ve provided one simpler mechanism local pages may use.

If the markup file is named page3.htm, you can create a folder named page3_files and place all of the resources required by the page into that folder. Update your markup’s references to refer to the resources in that subfolder:

<IMG src="page3_files/1.gif">
<IMG src="page3_files/2.png">
<IMG src="page3_files/3.jpg">

…and you will find that the images are allowed to load, even without a MOTW applied to each. That’s because Enhanced Protected Mode automatically grants page3.htm permission to read these local files when placed in the specially-named subfolder.

-Eric Lawrence