IE Protected Mode for Local System Account

Asked 29/8, 2011 at 21:33 Answered 28/4, 2015 at 15:23

Solved internet-explorer selenium protected-mode

I have a Windows Service that runs a Team City Build agent on a Windows 7 OS.

This agent triggers NUnit tests which use the Selenium IE web drivers to execute a series of tests.

For the Selenium IE web drivers to work the protected mode for all zones needs to be set to the same value (either protected mode on or off).

The problem is the default settings for the Local System Account are invalid (some zones are running in protected mode, others are not).

Can anyone can tell me how to change the protected mode settings for either all users or the Local System Account user?

Lasalle answered 29/8, 2011 at 21:33 Comment(0)

Here is the solution (and I've been to every corner of the Internet in order to get this):

Fire up RegEdit and go to this key:

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

On my machine (Windows 7) the Local System account is S-1-5-18. This might be the same for all versions of Windows, but I don't know about that.

In that registry key, there are five more keys 1, 2, 3, 4 and 5 - each representing a Zone.

For every zone, if there is a DWORD value with the name "2500", set its value to 0 to turn protected mode off. Note that you don't have to add it if it isn't there.

The value "2500" is supposed to control the tick box "Enable protected mode".

UPDATE (from an anon user):

A graphical way of doing the same is to ensure the "Interactive Services Detection" service (UI0Detect) is running (note that Windows 8/2012 and later need the HKLM\SYSTEM\CurrentControlSet\Control\Windows\NoInteractiveServices registry key to be set correctly in order for the popup to appear) get hold of psexec and run

psexec -si 0 "C:\Program Files\Internet Explorer\iexplore.exe"

In the popup click on View the message, then after the screen switches in Internet Explorer go to Tools -> Internet options | Security and check the Security level for each zone.

Happy UI testing!

Dirigible answered 22/10, 2011 at 13:40 Comment(5)

Wow! Excellent, I had almost given up on finding a solution to this. It would appear that yes indeed the Local System account is S-1-5-18 and tests are running under the local account. Many thanks – Lasalle 25/10, 2011 at 20:44

Actually, what I have started doing now is that I use nuget.org/List/Packages/FluentAutomation.SeleniumWebDriver and use the Chrome Webdriver instead. That removed the protected zone problem and it's a lot faster. The IE compability problems usually have to dealt with elsewhere anyway. – Endophyte 16/11, 2011 at 12:10

Mikael - brilliant !!! To bad it's not so obvious. I tried group policy but it didn't work. – Larainelarboard 19/11, 2013 at 9:12

This is incorrect, a DWORD value of 0 means it's off, a DWORD value of 3 means it is on. If it does not exist then it returns to the default that Windows has which is on for both the Internet & Restricted sites zone UNLESS you are using IE7 in which case it is also on for the Local Intranet zone. – Dissenter 26/12, 2013 at 10:50

For Windows 10, the value for 2500 should be 3, not 0. I changed it in the UI and then checked the registry and it was setting it to 3 when I turned it off. This also means you need to add it to all the zones because the default is 0, which is on. – Overvalue 1/9, 2020 at 22:9

You could try disabling UAC, which will also disabled protected mode for all users in the system as well..

Sawmill answered 30/8, 2011 at 2:13 Comment(1)

Thanks for the suggestion. I have tried this and it appears to have no effect in this situation. Note: I disabled it via the User Account Control Settings window accessed via the Control Panel -> System and Security. – Lasalle 31/8, 2011 at 3:10

The best description of a solution is this https://mcmap.net/q/2031029/-how-do-i-avoid-issues-with-quot-protected-mode-quot-using-iedriverserver-in-selenium

Viehmann answered 28/4, 2015 at 15:23 Comment(0)

-1

There is a setting on the IE WebDriver that tells it to ignore the protected mode settings. Judging by the name of the setting it might introduce some "instability", but I've had no problems with this approach:

var options = new InternetExplorerOptions();
// avoid the "Protected Mode must be set to the same value (enabled or disabled) for all zones" error
options.IntroduceInstabilityByIgnoringProtectedModeSettings = true;
return new InternetExplorerDriver(options);

Denisse answered 23/8, 2012 at 3:56 Comment(2)

See jimevansmusic.blogspot.co.uk/2012/08/… for further info on why this is a bad idea. – Greenaway 19/3, 2013 at 16:15

@Greenaway - yep, I've read that article. The key point is "The driver needed a workaround for people who couldn't set those IE settings because their machine was overly locked down. That's what the capability setting is intended to be used for." In my work environment IE is indeed locked down and our testers are unable to set the protected mode settings required. Thus the use of the hack. But I agree that it shouldn't be used unless necessary! – Denisse 20/3, 2013 at 0:47

Recommended topics

Hot tags