IE 7 on Vista: Mostly secure

When is your shiny new Windows Vista protected against evil Web threats? Not as often as we were all led to believe in all those Microsoft Windows Vista ads. I ran across this post from Microsoft's Internet Explorer blog site shortly after the software giant patched the animated cursor flaw in Windows Vista with the release of MS07-017. Microsoft has said that users running IE 7 under Windows Vista are better protected from the malicious effects of Web exploits such as the animated cursor exploit than users running IE 7 under Windows XP IE 7 due to the introduction of a new "sandbox" element (called Protected Mode) within the new operating system. For example, in the case of the animated cursor attack, with Protected Mode enabled, remote attackers can only view files on an infected Windows Vista machine, not run malicious code. Now it seems there are exceptions.

Microsoft says that Protected Mode for IE 7 under Windows Vista is enabled by default only for sites within the Internet, Intranet, and Restricted zones. It is not enabled for Trusted Sites or Local Machine zones. Thus, you are likely to see the Protected Mode icon switch from On to Off and back again as you move between sites that fall within different Internet Explorer zones. To remedy this, Microsoft says you must enable or disable Protected Mode for Trusted Sites or Local Machine zones yourself.

To do so, choose Internet Options, Security tab, select the appropriate zone, then check/uncheck the "Enable Protected Mode" check box as appropriate.

There are other times when Microsoft says Protected Mode is disabled within IE 7. Here's a summary:

• If you turn off User Account Control within Windows Vista, you automatically lose Protected Mode protection.

But the best part of the Microsoft blog comes at the end: "If you visit a page whose zone has Protected Mode enabled and you see the status is 'Protected Mode: Off', you will want to close and restart a new instance of IE to visit the page."