Enhanced Protected Mode (EPM) adds additional security to Protected Mode and includes AppContainer and 64-bit tabs. Internet Explorer in the new Windows UI runs in AppContainer, but AppContainer is also an available option on Internet Explorer for the desktop. AppContainer prevents pages from reading or writing to the rest of the operating system.

You can also use 64-bit tabs on the desktop (on 64-bit computers). Running 64-bit tabs increases security on the desktop because 64-bit processes offer better protection against attacks that try to damage memory safety.

EPM was first introduced in Internet Explorer 10, which provides the next level of protection to web users via below approaches:

• 64-bit processes
• Leverage the new AppContainer Integrity level in Windows 8 to provide sandboxed HTML5

Enhanced Protected Mode (EPM) has become a more prominent security feature for Windows 8.x. Microsoft has promoted several workarounds to help mitigate security issues, but it's come to light that running IE10 or IE11 with EPM enabled is the quickest, easiest solution of all.

EPM provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, EPM also limits the locations Internet Explorer can read from the registry and the file system.

You can use GPO to configure EPM for the organization, enabling you to enforce the settings centrally.

If the policy is enabled, EPM will be turned on and any zone that has Protected Mode enabled will use EPM and users will not be able to disable EPM on their own. If the policy is disabled EPM will be turned off.

Disabling it, though, will force Internet Explorer zones that have Protected Mode enabled to use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista.

If you choose not to configure the policy at all users will be able to turn on or turn off EPM on the Advanced tab of the Internet Options dialog in Internet Explorer on their own.

Location in GPMC: Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Supported for: Internet Explorer 10.0 or later.

Affected registry settings:

For Machine (Computer Configuration) level changes:

HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Isolation

For User (User Configuration) level changes:

HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Isolation

Observe EPM

When EPM is enabled for a website, you will see “Protected Mode: Enhanced“ in IE’s File > Properties dialog box.

Process Explorer can show us the bitness and integrity level information of the IE processes. As you can see in the following screenshot, it is possible that the frame (manager) iexplore.exe process launches multiple tab (content) child processes, of different bitness and integrity levels.

It is also possible that not 64-bit and AppContainer are both enabled, even when IE shows protected mode is “Enhanced” for the webpage. IE goes through several configuration points in order to decide how to enable EPM.

EPM or not?

Firstly, the traditional protected mode should be enabled for the website. By default protected mode is turned off for the Local Intranet and Trusted Sites zones; but the Internet zone has protected mode enabled. Of cause UAC should not be turned off completely, otherwise protected mode won’t be available.

Secondly, desktop IE’s EPM is disabled by default in Internet Options. Desktop IE won’t use EPM, unless you turn it on. More accurately speaking, the original version of IE11 in Windows 8.1 RTM enabled it actually.

It should have been turned off, if you have installed the recent IE11 accumulative updates.

Next, EPM can be disabled per domain. If a website requires an add-on that is incompatible with EPM, you can turn EPM off for the whole domain of that website.

This per domain configuration is located in registry, path HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabProcConfig. As shown in the screenshot below. Each domain is configured by a DWORD value.

Different DWORD values have different effects on EPM. The most common value is 0x47b, which means to use 32bit process & load incompatible add-ons. If a domain is given that 0x47b value, you will see protected mode as “On”, not “Enhanced”.