Anonymous
Knowledge Base Documents Articles & FAQs Software Updates Feature Requests Trouble Reports Support Enquiries
 
NX Client Products
 
Search
Advanced Search
My Account
Containing:
 
Article:  #AR09E00483
Added on: 2007-09-21
Last Modified: 2007-10-09
Applies to: NX Client Products
Why may I need to disable IE7 Protected Mode to run NX Web Companion on Windows Vista?
NX Web Companion is a signed java applet that requires to access the user's filesystem in order to download, copy and run NX Client locally.

Starting from version 3.0.0-8, NX Web Companion installs the plugin on Windows Vista, i.e. NX Client and all the components needed to run the session, in  the  %userprofile%\AppData\LocalLow directory, which is a low integrity level directory. This allows the applet to read, write and launch processes on the local filesystem even when Internet Explorer 7 is running in protected mode.

Previous versions of NX Web Companion, were trying to download the plugin in a default location, i.e. the user's home/.nx/plugin directory. In this case, the applet may fail to complete all the required operations if IE 7 has protected mode enabled.

As reported in the MSDN documentation:

Understanding and Working in Protected Mode Internet Explorer
...
In Windows Vista, Microsoft Internet Explorer 7 runs in Protected Mode, which helps protect users from attack by running the Internet Explorer process with greatly restricted privileges.

Protected Mode builds on the new integrity mechanism to restrict write access to securable objects like processes, files, and registry keys with higher integrity levels. When run in Protected Mode, Internet Explorer is a low integrity process; it cannot gain write access to files and registry keys in a user's profile or system locations.
...


The following table shows supported integrity access levels and the privileges they confer:

Integrity
Access Level        System Privileges

High                      Administrative (Process can install files to the Program Files
                               folder and write to sensitive registry areas like
                               HKEY_LOCAL_MACHINE.)

Medium                User (Process can create and modify files in the user's
                              Documents folder and write to user-specific areas of the
                              registry, such as HKEY_CURRENT_USER.)

Low                      Untrusted (Process can only write to low integrity locations,
                              such as the Temporary Internet Files\Low folder or the  
                              HKEY_CURRENT_USER\Software\LowRegistry key)

On the other hand, also the java.sun.com Web site reports some notes related to the unability to write or delete files in medium and high integrity level directories:

Running Signed Applets on Windows Vista

Signed applets on Windows Vista have less privileges compared to the applets running on other Windows operating systems such as Windows XP Home or Windows XP Professional. This is due to the fact that browser process has low level of integrity. Low level integrity implies lesser privileges than an Administrator. This causes the signed applet not to write and delete files in specific medium and high integrity level directories.

If you run a signed applet in Windows Vista, a dialog box with a security warning appears. Click Run, to allow the applet to run with all permissions except write or delete permissions for files on local drive.
...

Furthermore, the Sun Bug Database reports a number of issues on the topic:

Implement IE Broker process for File I/O on Vista

Java applets do not work with IE7 "Protect mode ON" on windows Vista


How to enable/disable IE7 Protected Mode

To enable or disable IE7 Protected Mode for a zone go to: Internet Options > Security tab > Select the appropriate zone> Check/uncheck the “Enable Protected Mode” checkbox.

The status of Protected Mode can be monitored by looking at the “Protected Mode: On” text in bottom right corner of the IE status bar. However, at times you may notice the text in the status bar says “Protected Mode: Off” even when the Internet Options dialog says Protected Mode is enabled.

Otherwise, protected Mode is turned off when IE is launched by right clicking on the IE icon and selecting “Run as administrator” or when IE is launched with administrative privileges from another application. This generally occurs when an installer/setup program running with administrator privileges starts a new IE process.

Other Support Options
Contact NoMachine

Phone Numbers, Support Options and Pricing, Online Help, and more.

Customer Service

For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.

Print this document
Send this page



Home | News | About Us | Partners | Contact Us
Products | Download | Support | Documents | Customers
Copyright 2002-2013, NoMachine S.à r.l - VAT LU25935711