SUMMARY

Opening mailto: when on a site with Protected Mode: On is fine. The problem is that
Trusted Sites have Protected Mode: Off and Vista and Win7 is treating mailto: as
being part of the Internet Zone which has Protected Mode: On. So when user clicks
on a mailto that exists on a site in your Trusted Sites list, a new browser opens with
Protected Mode: On and after starting outlook process it doesn’t come back to
Protection mode: Off. To overcome from this problem turn on the Protection Mode
for Trusted site.

Turn Protected Mode on

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\3]
"2500"=dword:00000000

“2500 Turn on Protected Mode [Vista only setting] ”

What is Protected Mode

The Windows 7 security infrastructure allows Protected Mode to provide Internet Explorer
with the privileges needed to browse the Web while withholding privileges needed to
silently install programs or modify sensitive system data.

Protected Mode builds on the new integrity mechanism to restrict write access to
securable objects like processes, files, and registry keys with higher integrity levels.
When run in Protected Mode, Internet Explorer is a low integrity process; it cannot gain
write access to files and registry keys in a user's profile or system locations.

Low integrity processes can only write to folders, files, and registry keys that have been
assigned a low integrity mandatory label. As a result, Internet Explorer and extensions
run in Protected Mode can only write to low integrity locations, such as the new low
integrity temporary Internet files folder, the History folder, the Cookies folder, the
Favorites folder and the Windows temporary file folders.
Silently launch outlook

By default, Internet Explorer will prompt the user to confirm the medium integrity
elevated process, as shown in the following screen shot.

You can silently elevate your broker process to medium integrity level by creating an
elevation policy, which is a series of registry keys and values that tell Protected Mode
how to handle elevation for a specific broker. Elevation policies must have a globally
unique identifier (GUID) associated with them.

Set the name of the new key to the GUID created for your policy and then add the
following settings to the key.

1. Policy (DWORD) indicates how Protected Mode should launch the broker. The
following table describes the supported values.
Value Result
3 Protected Mode silently launches the broker as a medium integrity process.

2 Protected Mode prompts the user for permission to launch the process. If
permission is granted, the process is launched as a medium integrity process.

1 Protected mode silently launches the broker as a low integrity process.

0 Protected mode prevents the process from launching.

 2. If your broker is an executable file, add the following settings to your policy.
o AppName (REG_SZ) is the filename of your broker's executable file.
o AppPath (REG_SZ) is the user-selected install location of your broker's
executable file.

To illustrate, the following policy would silently elevate a fictional broker called
OUTLOOK.EXE to medium integrity level.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low
Rights\ElevationPolicy\{8F3598B9-5CE3-4B49-BED9-ECDA80A2D561}]
"AppPath"="C:\\Program Files\\Microsoft Office\\Office14"
"AppName"="OUTLOOK.EXE"
"Policy"=dword:00000003

C:\Shared\mailtoReg\
C:\Shared\mailtoReg\
Protection mode.regSilently launch outlook.reg