Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
We’ve noticed a few blog posts asking why IE7 in Windows Vista displays a prompt to launch Notepad. You can see this prompt by right clicking on a webpage and selecting View Source. I want to explain why the prompt is displayed and also tell you how to turn it off.
As you probably already know from previous blog entries, Windows Vista includes an IE security feature called Protected Mode. Protected Mode runs the IE process with lower privileges and also helps protect against malicious webpages that try to automatically pass content to higher privileged applications like Notepad.
Before launching applications like Notepad that weren’t designed to work with low privilege, Protected Mode displays the following prompt to get your permission. This prompt is designed for the worst case security scenario, which is a malicious webpage trying to silently elevate out of Protected Mode by launching an application or reusing one that you’re launching. For example, in the scenario where you select View Source, a malicious webpage could try to silently pass its content to Notepad instead of the webpage’s source code. This could be a dangerous scenario if there was vulnerability in Notepad
If you only browse to web sites you trust and you don’t want to click through this prompt in the future, you can check the “Do not show me the warning for this program again” box before clicking “Allow”. Checking this box and “Allow” will add the following entry to Protected Mode’s elevation policy:
[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerLow RightsElevationPolicy{9F5511FE-4BB1-474D-B6ED-8877567E7F36}]
"AppPath"="C:\Windows\System32"
"AppName"="notepad.exe"
"Policy"=dword:00000003
You can find more details on Protected Mode’s elevation policy in the Protected Mode technical article on MSDN.
If you later decide that you want to see this Protected Mode elevation prompt again for Notepad or any other application you added to Protected Mode’s elevation policy, either delete the registry key mentioned above or click “Reset…” in the Internet Options Advanced tab.
If you are looking for a better View Source Editor option than Notepad, install Microsoft Visual Web Developer 2005 Express Edition and add:
C:Program FilesMicrosoft Visual Studio 8Common7IDEVWDExpress.exe
to the following registry key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerView Source EditorEditor Name
Thanks for reading!
Marc Silbey
Program Manager
edit: Correction: If you are looking for a better View Source Editor option, Add: If you later decide that you want to see
Anonymous
March 28, 2007
Am I the only one that is scared, that Notepad runs with higher security rights than IE? Notepad? OMG!Anonymous
March 28, 2007
[Quote]This could be a dangerous scenario if there was vulnerability in Notepad[/Quote] Give me a break! Security vulnerability in Notepad?! In our most beloved fast, simple and secure ad hoc text editor. Come on! This is misapplied focus on security. And the security message is completely wrong: "A website wants to open web content using this program on your computer". It's not the site, stupid, it's me, the power user (I understand HTML at least). Can't IE tell the difference between some malicious site running client-side scripts and the client?!? Am I too naive? Is there a reasonable explanation for this situation? I' m looking forward to hear from you. Have a nice day.Anonymous
March 28, 2007
"Am I the only one that is scared, that Notepad runs with higher security rights than IE?" So they put IE into the lowest priviledge possible. And suddenly it's a surprise that Notepad has more priviledges than IE (a program that can write/read any file). Am I the only one that is scared that all this IE bashing is nothing more than users not having clue? ""A website wants to open web content using this program on your computer". It's not the site, stupid, it's me, the power user (I understand HTML at least). Can't IE tell the difference between some malicious site running client-side scripts and the client?!? Am I too naive?" Yes. Assuming something is caused by the user, is assuming that the internet is safe.Anonymous
March 28, 2007
What I would like to see is never show this again for this site. So even if I elevate it and have it not tell me again for that site, even if a NG site found a way, I would still need to be asked.Anonymous
March 28, 2007
The comment has been removedAnonymous
March 28, 2007
Hello; What i'm not sure about, is the Reset...button. Is this the only way to modify the settings? It seems strange that in order to fix 1 setting, for 1 site, I need to erase every setting for every site I have ever set? Would it not be better, if there was a "change settings" button, that was sensitive to the site you were on? For example, you are on say eBay.com you could click the button, and have the choice as to which settings you want to change. [] Allow this site to.... [] Allow this site to.... [_] Allow this site to.... Where each option is something like the "open editor (Notepad.exe) to view the HTML source. This seems much more straight forward to meAnonymous
March 28, 2007
The comment has been removedAnonymous
March 28, 2007
@scared "Am I the only one that is scared, that Notepad runs with higher security rights than IE?" As the dialog implies, Notepad.exe is not part of IE. Any attempt to run a program outside of the IE process will cause a security prompt. You wouldn't want anything else. It's got nothing to do with "higher security rights". @Biserkov " Can't IE tell the difference between some malicious site running client-side scripts and the client?!? Am I too naive?" No and yes.Anonymous
March 28, 2007
I apologize that this is off-topic, but has there been any word yet on IE Next? When can we expect it? What features will it contain? Will you make it available for Linux? (ok, the last one was a joke)Anonymous
March 28, 2007
I also have and use Netscape browser. IE7 is more widely used but the Netscape browser doesn't have nearly the security issues IE7 has.Anonymous
March 28, 2007
IF YOU DONT ALLOW FULL TOOLBAR LAYOUT CUSTOMIZATION AND TOOLBAR BUTTONS CUSTOMIZATION IN THE NEXT IE, I'M OFF TO FIREFOX.Anonymous
March 28, 2007
@someone who cares about layout and toolbar customizations? IE7 layout is just perfect like this and it's better than FF.Anonymous
March 28, 2007
Choice comments from a friend: grIMacE says 'Notepad runs at a higher level of security than IE' grIMacE says 'excellent' grIMacE says 'which is the one with the security vulnerabilities again?' Facetious remarks aside, Firefox, Safari and Opera all solved this years ago by embedding the source viewer within the application. Was doing something like this for IE7 too much hard work, guys? I mean, rendering fixed width text is pretty tough...Anonymous
March 28, 2007
@casz Wrong! The IE7 layout has been much discussed in this blog and (when it was alive) IE Feedback. The lack of interface customization is actually a major stumbling block for lots of users. I too hate the default layout, the missing menu bar, the clutter on the tab row, but I can't change it. but like "someone" said, in other browsers, Firefox, Opera, etc. modifying this content is a piece of cake. (well, in Firefox, its even easier, the tab bar, is a tab bar, with no other garbage in the way, and when there is only 1 tab, it nicely tucks itself out of the way, further reducing any wasted space) If IE was my favorite browser in v6, IE7 wouldn't be much to get excited about.Anonymous
March 28, 2007
The comment has been removedAnonymous
March 28, 2007
@george
- IE7 layout is the best because it's very compact and well organized.
- menu bar has been replaced with modern toolbar buttons where you find almost all options from old menu. Old menu is also a waste of space. IE7 Layout ROCKS. Firefox Layout is horrible
Anonymous
March 29, 2007
It's sad that these comments always degrade to people arguing about which browser is better. This forum is a place for people to comment on upcoming IE changes. If you prefer Firefox, Safari, or IE, then fine. But, don't waste space here.Anonymous
March 29, 2007
I know this relates more to two previous blog postings, but you've closed comments on those. You indicated that the IE HTML Editor Active X control didn't ship with Windows Vista. My comments on that decision aside (Windows Vista has tons of security for Active X controls now), was there an update to if you are releasing a secuirty patch to remove that for Windows XP? It affects Exchange. It affects Lotus Notes. It affects over commercial 100 browser editing controls. I can't believe you just deleted it because of one Google search, but I do want to know if there is an XP patch coming soon that is removing it.Anonymous
March 29, 2007
was there an update to if you are releasing a secuirty patch to remove that for Windows XP?Anonymous
March 29, 2007
It is possible to replace the fixed IE7 layout by the Quero toolbar (www.quero.at), I am developing, if you do not like the standard layout.Anonymous
March 29, 2007
Why was Notepad not designed to work with low privilege? This produces just another needless UAC popup. People will either disable UAC (not good) or click away all those annoying UAC screens without looking (not good either). It's the same thing with ol' Outlook. It always warns you that attachments may be dangerous. Yeah, tell me something I don't know. This kind of security mechanism is useless. Not good, MS!Anonymous
March 29, 2007
@ADAXL Notepad and all Windows Vista applications run as low privileges because UAC is ON by default.Anonymous
March 30, 2007
Taking away customizability from IE and Windows Explorer is one big mistake you guys are making...while the Shell team wont be able to fix it now till Windows vnext, you ppl can fix it i IE8. Please do so. :) Full customizability of toolbar buttons and button order and toolbar(s) layout. Why dont you put a poll on your blog and ask what users feel?Anonymous
March 30, 2007
@Luc I get your explanation, but the problem remains: UAC gives out totally trivial warnings. I mean, a warning because of Notepad trying to edit a web page? UAC floods users with warnings to a degree where people want to shut it off. Talk about crying wolf.Anonymous
March 30, 2007
Am I the only one that is scared, that Notepad runs with higher security rights than IE? Notepad? OMG!Anonymous
March 30, 2007
The comment has been removedAnonymous
March 31, 2007
@mocax make a fresh Vista installation and NOT upgrade from XPAnonymous
March 31, 2007
The comment has been removedAnonymous
March 31, 2007
So I've to reformat my harddrive so IE7 can run properly in protected mode.Anonymous
March 31, 2007
It doesn't appear the IE Blog team has bothered to read or respond to a single comment so far. What's the point of allowing blog comments if you're not going to read them ever?Anonymous
March 31, 2007
@mocax Instead of formatting, just first try to disable all plug-ins. maybe there is some ill-working one enabled. Go to: Start->Accessories->System tools and choose: Internet Explorer (No Add-ons)Anonymous
March 31, 2007
@Tijnemans didn't work, still sluggish It's got nothing to do with plug-ins There's something wrong with the redraw of the UI Switching tabs (even blank ones) takes a few seconds. This is what happens when I press ALT key to bring up menu bar http://img181.imageshack.us/img181/4224/clipboard01kp2.jpg Takes about 3 seconds to display the menu bar.Anonymous
April 01, 2007
A lot of jokes as well as serious criticism has been made about Microsoft’s user access control (UAC) in Vista. The main problem with UAC is caused by applications that are poorly written and expect to run with administrator rights. This has been..Anonymous
April 02, 2007
@mocax use this cleaner: Tools -> Internet Options -> Advanced tab -> Reset buttonAnonymous
April 02, 2007
Wahoo now that's April I don't ever have to test in <a href="http://blogs.msdn.com/ie/archive/2006/11/30/ie6-and-ie7-running-on-a-single-machine.aspx">IE6</a> again!Anonymous
April 02, 2007
The comment has been removedAnonymous
April 02, 2007
IE7 Community IE Addons IE Blog IE-Vista IE7 Support Can't Save Favorites in Vista's IE7 (WindowsNow)Anonymous
April 02, 2007
@call Reset IE7, didn't work. Is there something in protected mode that affects GUI rendering? It also stutters when I resize the window. Everything worked smoothly when protected mode is switched off.Anonymous
April 02, 2007
@jeffdav regarding your comment about zones I wanted to mention something. The "security zones" may have been a good idea, at one point, but ask anyone, about them.. seriously, turn around and ask anyone in your office what zone Google runs in, same for any site/application you care to mention. No one knows, because no one uses them. If you are using the browser, and you are connected to the Internet, you are in the "Internet" zone, plain and simple, which proves the point that zones are worthless.Anonymous
April 02, 2007
I had been noticing that there has been a lot of interest in anything connected to ReadyBoost. A fterAnonymous
April 02, 2007
@zones I don't think jeffdav is a good example to ask around the office about zones. I think the IE team in general might at least have an answer about them. Also, I think it just proves that zones are worthless to -you- and perhaps the general windows user at large. Therefore, don't complain when IE does your thinking for you for what they feel the general windows user needs to "be safe".Anonymous
April 02, 2007
"The "security zones" may have been a good idea, at one point, but ask anyone, about them.. seriously, turn around and ask anyone in your office what zone Google runs in, same for any site/application you care to mention. No one knows, because no one uses them." The best security feature is one that you never notice.Anonymous
April 02, 2007
"No one knows, because no one uses them." Aedrinn: "The best security feature is one that you never notice." until an escalation bug is found, then they find out that the zones they were using were a false security blanket..... http://www.google.com/search?hl=en&q=IE+zone+escalation&btnG=SearchAnonymous
April 03, 2007
Ah, yes, Zones. My personal feeling is, from a purely UI perspective, the experience could be improved. Google.com is in the Internet zone because it is outside your personal network. For most home users, everything is outside their personal network, so it would seem this is the only zone that really needs to exist. However, IE has to support a huge number of corporate users who actually do have sites that are inside the network and thus in the Intranet zone. Having the more trusted zone for Intranet applications enables a whole bunch of useful scenarios for things like Sharepoint, as well as lots of custom-built LOB apps that simply host the Webbrowser Control. Remember: MSHTML was designed as a platform for applicaiton development. We can argue about the merits of that historical decision, but the legacy of that decision is that some applications are really just HTML pages running from the local machine. These days the only things I see built from HTAs are installers and very specific LOB tools. Much of the Windows team, for example, uses an HTA to compose check-in mail and submit their changes to the source servers. In order for these HTML applications to be useful, they need even more priviledges. Essentially I agree with you. If all you use IE for is to browse the web, all you need is the Internet zone. IE enables a lot of things that you may not even realize are IE, though, which requires some sort of tiered security model. Most users get along just fine ignoring the zones. I would love a world where every setting in IE could be controlled on a per-URL basis instead of lumping URLs into zones, but that is currently impractical (who really wants to manage thousands of settings for every URL they visit?).Anonymous
April 03, 2007
think it is to protect people from viewing really bad source When i first saw this on vista I thought it was a joke by a MS programmer.. http://www.textilefashion.netAnonymous
April 03, 2007
It would be nice to have view source ability inside IE (even if optional). I'm not sure why defaulting to Notepad.exe was seen as a good idea. View Source, and View Source in new tab would be a welcome enhancement in IE next. As would the find bar (not an add-in). The workflow I do has to do with a viewsource to find something in particular, and swap back and forth between tabs (OK, using FF as an example). Embrace tabs all the way.Anonymous
April 10, 2007
> I also have and use Netscape browser. IE7 is more widely used but the Netscape browser doesn't have nearly the security issues IE7 has. Sure only 18 so far in Firefox 2.x (which came out about the same time as IE7) http://www.mozilla.org/projects/security/known-vulnerabilities.html#FirefoxAnonymous
April 10, 2007
Mike wrote: > Sure only 18 so far in Firefox 2.x (which came out about the same time as IE7) > http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox Or go to Secunia and add up vulnerabilities in all of the advisories so far (some advisories contain multiple vulns). IE7 - 11 FF 2.0 - 27 http://secunia.com/product/12366/?task=advisories http://secunia.com/product/12434/?task=advisoriesAnonymous
September 06, 2007
Sadly, even to this day, Internet Explorer relies on notepad for viewing HTML source code through theAnonymous
February 25, 2008
Just as cash loan payday till first american cash advance
