Rob Franco, Lead Program Manager for IE Security posted some interesting stuff on the Internet Explorer Blog last week.
From the blog (with emphasis and edits added by me):
“Low-Rights IE” is one of several new features that we’re working on to help keep users safe…meant to back up and support the many other security features.
…Low-rights IE will only be available in Longhorn because it’s based on the new Longhorn security features that make running without Administrator privileges an easy option for users (“User Account Protection”). When users run programs with limited user privileges, they are safer from attack than when they run with Administrator privileges because Windows can restrict the malicious code from taking damaging actions.
We are using the same Longhorn security infrastructure to limit IE to just enough privileges to browse the web but not enough to modify user files or settings by default. As a result, even if a malicious site attacks a vulnerability in IE, the site’s code won’t have enough privileges to install software, copy files to Startup folder, or hijack the settings for the browser’s homepage or search provider.
Second, the primary goal of Low Rights IE is to restrict the impact of a security vulnerability while maintaining compatibility. Low-rights IE doesn’t “fix” vulnerabilities, but it can limit the damage a vulnerability can do. In that way, it’s like the “Local Machine Zone Lockdown” feature in XP SP2. That lockdown prevents cross domain vulnerabilities from installing malicious software on users’ machines. We expect Low-rights IE to protect users from other classes of vulnerabilities.
I also want to point out two other scenarios that some people have confused with Low-rights IE. Low-rights IE does not prevent users from downloading and installing software that turns out to be malicious. Any programs that the user downloads and runs will be limited by User Account Protection, unless the user explicitly gives the program Administrator privileges. Microsoft and other software makers provide tools to help protect against spyware downloads. Another issue to clarify is that Low-rights IE will not change IE security settings for ActiveX and script as the Enhanced Security Configuration for IE on Windows Server 2003 did…
Some websites and browser add-ons may expect users to run with Administrator privileges. Our goals are to be as secure and compatible as possible and we’re doing work to help sites and add-ons continue to work as users expect.
I want to be clear that Longhorn and IE7 have many other facilities in addition to Low-rights IE for keeping users safe….”
Alex Eckelberry