How to add to Internet Favorites with UAC on?

[Tom]

Hope this is the right place for a UAC question

I have a Vista64 Ultimate system. A few weeks after the initial build, I
determined that the hard disk was bad as it would hang until it had run and
warmed up for quite a while. Purchased a new hard disk and reinstalled
windows. As part of the "new" install, I used an 8Gig USB drive to transfer
personal files (including Favorites) from the old system/hard disk to the
new one. Process was to boot up windows on the old hard disk, transfer
files to the USB drive, boot up windows on the new hard disk and transfer
the files from the USB drive to the new C: drive.

The new hard disk/system is working fine except I cannot add new
bookmarks/favorites to favorite folders I transferred when surfing the net.
With UAC ON, I get the following error:

Unable to Create "internet site"
Unspecified Error

when trying to save or paste a new internet site/url to folders I
transferred from the old hard disk. Files CAN be saved directly to the
Favorites directory. With UAC OFF, all favorite saves work as expected.

I have tried "taking ownership" of each and every folder in the Favorites
directory, but the problem remains. I would really like to use UAC for what
its worth, but the problem of not being able to save URLs without turning
UAC off and rebooting makes it REALLY hard.

 

[Tom]

Guess nobody here knows how to manipulate UAC without turning it off???

Tom

 

[FromTheRafters]

Perhaps you could try turning MIC off temporarily to see if
that affects your issue?

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableMIC.

I believe turning this off will defeat 'protected mode' IE, but not all of
UAC.

Have you tried support yet?

 

[Dave]

http://www.tweak-uac.com/home/

 

[Tom]

The darkening screen of "do you really want to do this" is not the issue.
With UAC on, I get {Unable to Create "internet site" Unspecified Error}.
With UAC off, I am allowed to save new favorites to anywhere in my favorites
chain. Any other ideas?

T2

 

[Tom]

Not sure what that is so I think I'll leave it alone. Did a Google on that
registry line and the best I could get was that it has something to do with
Protected Mode. Turned Protected Mode off and back on again in the Internet
Options with no change in my ability to save new "internet sites" to
anywhere in my Favorites chain. I'm pretty sure that the issue has to do
with how I imported the Favorites from my old hard disk, ie by copying them
on to a thumb drive from the old HD and then copying them onto the new HD
that had already been installed with Vista64.

Tom

 

[FromTheRafters]

http://blogs.technet.com/steriley/archive/2006/07/21/442870.aspx

Not the answer, but you might like to read it.

I still suggest calling support.

 

[Tom]

Interesting read. As I understand it, there are characteristics to each
object that the casual observer/administrator can't see, let alone
modify/control. As I said above, I tried taking ownership, turning off/on
protected mode etc, but was only finally able (2 hours this afternoon) to
get control of my Favorites chain by dragging each folder in my favorites
off onto the desk top, creating a new folder in the Favorites chain of a
similar name and then dragging the shortcut contents of the moved folders
back into the new folders.

If you right-click on any folder and choose properties and security, you see
the Group/user names (accounts?) and each of their "Permissions". The
FOLDERS that I had problems with had a check mark under the allow/Special
Permissions for Administrators(that's me as there are no other users). The
folders that I had not problems with did NOT have a check mark under the
Allow/Special Permissions.

Now, whatever that means - MIC?

Magic stuff. Will Windows 7 fix this?

Tom

 

[FromTheRafters]

Interesting read. As I understand it, there are characteristics to each
object that the casual observer/administrator can't see, let alone
modify/control.

Yes, and access can be denied before any "permissions" are checked.

As I said above, I tried taking ownership, turning off/on protected mode
etc,

I'm not sure turning off protected mode actually removes MIC from
other aspects of the system. It may just run IE elevated - I haven't
looked into it. Protected mode uses MIC not the other way 'round.

but was only finally able (2 hours this afternoon) to get control of my
Favorites chain by dragging each folder in my favorites off onto the desk
top, creating a new folder in the Favorites chain of a similar name and
then dragging the shortcut contents of the moved folders back into the new
folders.

Sounds like an 'end run' around MIC to me. Glad you got it sorted. I'm
thinking your favorites data became untrusted due to the way you tried
to migrate it. It regained trust when you manipulated it on the desktop.

Just guessing though.

If you right-click on any folder and choose properties and security, you
see the Group/user names (accounts?) and each of their "Permissions". The
FOLDERS that I had problems with had a check mark under the allow/Special
Permissions for Administrators(that's me as there are no other users).
The folders that I had not problems with did NOT have a check mark under
the Allow/Special Permissions.

Now, whatever that means - MIC?

Nope, permissions again. Regular permissions are like ordering a #22 Chinese
take-out order. Special permissions sort of lets you pick from columns A, B,
C,
etc...for a better custom fit.

http://support.microsoft.com/kb/308419

Magic stuff. Will Windows 7 fix this?

I don't think so as it is not broken. I assume most people won't be
migrating their data this way.

[...]

 

[Tom]

Yes, and access can be denied before any "permissions" are checked.


I'm not sure turning off protected mode actually removes MIC from
other aspects of the system. It may just run IE elevated - I haven't
looked into it. Protected mode uses MIC not the other way 'round.

Don't think that IE ran elevated with Protected Mode turned off as IE was
still unable to write new shortcuts to the "moved" folders. Recall that I
as Administrator was able to write/copy files to those folders, but IE was
not. Interestingly, turning off UAC "fixes" the problem, allowing IE to
once again write to those "moved" folders.




I'm guessing that my "user" account in creating new folders made it so that
IE had sufficient "Integrety" (medium) to then write to them as well.

Sounds like an 'end run' around MIC to me. Glad you got it sorted. I'm
thinking your favorites data became untrusted

Only certain folders - What I did was copy/move files and folders off of the
thumb drive to the new Favorites folder. I trusted the folders I moved and
my problem was to somehow convince Vista to trust them too. Not sure how
Vista would react to dumping a bunch of folder/file data into a new Vista
system. I guess IE or (I haven't tried this) notepad wouldn't be able write
to/modify that data.

due to the way you tried

to migrate it. It regained trust when you manipulated it on the desktop.

Interesting that the folders were a problem and not the
shortcuts/executables.

Just guessing though.


Nope, permissions again. Regular permissions are like ordering a #22
Chinese
take-out order. Special permissions sort of lets you pick from columns A,
B, C,
etc...for a better custom fit.

http://support.microsoft.com/kb/308419

XP stuff. Is Vista 64 the same?

I don't think so as it is not broken. I assume most people won't be
migrating their data this way.

But I think it its broken. Certainly not from the perspective of computer
science or secure business software, but from the perspective of the "power
user" who got used to doing things in a reasonable way and gets a little
upset when there seems to be no good reason for it to change on MY computer.
The thread above started by Kathy resonates a little for me. The link you
provided above references Windows XP where none of this was an issue, (at
least in my experience) but now with Vista, we are suddenly not so much
masters of our own hardware system.

[...]

BTW FromTheRafters, I really appreciate the discussion and attempts to
educate - hard as it is ;<)

 

[FromTheRafters]

XP stuff. Is Vista 64 the same?

NTFS stuff. I posted it because it is not MIC related as your
inquiry regarding special permissions and MIC indicated was
your guess.

But I think it its broken. Certainly not from the perspective of computer
science or secure business software, but from the perspective of the
"power user" who got used to doing things in a reasonable way and gets a
little upset when there seems to be no good reason for it to change on MY
computer.

Not much has really changed, it is just that now the "power user" has
to tweak Vista's security down to his or her liking. The "average user"
is more or less stuck with Vista's better security - and don't have a
problem working within that security paradigm. By all means, if you
are a safe "power user", strip Vista of its security and run as admin.
Vista just didn't make bad security the default OOBE condition like
previous versions did. All the groaning is because of the new experience
being how to try to fight your way to being really the real administrator.

Kinda keeps the "average users" from peeing in the pool so to speak.
Now only those worthy of actually finding their own way to the real
admin account are allowed to pee in the pool, and hopefully they're
not as likely to do so.

The thread above started by Kathy resonates a little for me. The link you
provided above references Windows XP where none of this was an issue, (at
least in my experience) but now with Vista, we are suddenly not so much
masters of our own hardware system.

The wave of the future I'm afraid. Next you won't be running application
software, but renting web based applications and be master of nothing on
your computer. They're becoming less like General Purpose Computers
and more like Special Purpose Computer communications devices.

BTW FromTheRafters, I really appreciate the discussion and attempts to
educate - hard as it is ;<)

Thanks, and no problem.

 

[Kerry Brown]

Can you post the results of icacls for your favorites folder? At a command
prompt type:

icacls c:\username\favorites

or whatever the path to your favorites folder is.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/

Yes, and access can be denied before any "permissions" are checked.


I'm not sure turning off protected mode actually removes MIC from
other aspects of the system. It may just run IE elevated - I haven't
looked into it. Protected mode uses MIC not the other way 'round.

Don't think that IE ran elevated with Protected Mode turned off as IE was
still unable to write new shortcuts to the "moved" folders. Recall that I
as Administrator was able to write/copy files to those folders, but IE was
not. Interestingly, turning off UAC "fixes" the problem, allowing IE to
once again write to those "moved" folders.




I'm guessing that my "user" account in creating new folders made it so
that IE had sufficient "Integrety" (medium) to then write to them as well.

Sounds like an 'end run' around MIC to me. Glad you got it sorted. I'm
thinking your favorites data became untrusted

Only certain folders - What I did was copy/move files and folders off of
the thumb drive to the new Favorites folder. I trusted the folders I
moved and my problem was to somehow convince Vista to trust them too. Not
sure how Vista would react to dumping a bunch of folder/file data into a
new Vista system. I guess IE or (I haven't tried this) notepad wouldn't
be able write to/modify that data.

due to the way you tried

to migrate it. It regained trust when you manipulated it on the desktop.

Interesting that the folders were a problem and not the
shortcuts/executables.

Just guessing though.


Nope, permissions again. Regular permissions are like ordering a #22
Chinese
take-out order. Special permissions sort of lets you pick from columns A,
B, C,
etc...for a better custom fit.

http://support.microsoft.com/kb/308419

XP stuff. Is Vista 64 the same?

I don't think so as it is not broken. I assume most people won't be
migrating their data this way.

But I think it its broken. Certainly not from the perspective of computer
science or secure business software, but from the perspective of the
"power user" who got used to doing things in a reasonable way and gets a
little upset when there seems to be no good reason for it to change on MY
computer. The thread above started by Kathy resonates a little for me.
The link you provided above references Windows XP where none of this was
an issue, (at least in my experience) but now with Vista, we are suddenly
not so much masters of our own hardware system.

[...]

BTW FromTheRafters, I really appreciate the discussion and attempts to
educate - hard as it is ;<)

 

[Tom]

c:\Users\Tom\Favorites BUILTIN\AdministratorsF)
Tom-PC\TomI)(OI)(CI)(F)
NT AUTHORITY\SYSTEMI)(OI)(CI)(F)
Mandatory Label\Low Mandatory
LevelOI)(CI)(NW)

OK, now, what does it mean and how does it relate to my problem? Recall,
also, that I have removed the problem folders end entered new folders of the
same name so that I can once again save new URLs to subfolders of Favorites.

Tom

Can you post the results of icacls for your favorites folder? At a command
prompt type:

icacls c:\username\favorites

or whatever the path to your favorites folder is.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/

Interesting read. As I understand it, there are characteristics to
each object that the casual observer/administrator can't see, let alone
modify/control.

Yes, and access can be denied before any "permissions" are checked.

As I said above, I tried taking ownership, turning off/on protected
mode etc,

I'm not sure turning off protected mode actually removes MIC from
other aspects of the system. It may just run IE elevated - I haven't
looked into it. Protected mode uses MIC not the other way 'round.

Don't think that IE ran elevated with Protected Mode turned off as IE was
still unable to write new shortcuts to the "moved" folders. Recall that
I as Administrator was able to write/copy files to those folders, but IE
was not. Interestingly, turning off UAC "fixes" the problem, allowing IE
to once again write to those "moved" folders.

but was only finally able (2 hours this afternoon) to get control of my
Favorites chain by dragging each folder in my favorites off onto the
desk top, creating a new folder in the Favorites chain of a similar
name and then dragging the shortcut contents of the moved folders back
into the new folders.

I'm guessing that my "user" account in creating new folders made it so
that IE had sufficient "Integrety" (medium) to then write to them as
well.

Sounds like an 'end run' around MIC to me. Glad you got it sorted. I'm
thinking your favorites data became untrusted

Only certain folders - What I did was copy/move files and folders off of
the thumb drive to the new Favorites folder. I trusted the folders I
moved and my problem was to somehow convince Vista to trust them too.
Not sure how Vista would react to dumping a bunch of folder/file data
into a new Vista system. I guess IE or (I haven't tried this) notepad
wouldn't be able write to/modify that data.

due to the way you tried

to migrate it. It regained trust when you manipulated it on the desktop.

Interesting that the folders were a problem and not the
shortcuts/executables.

Just guessing though.

If you right-click on any folder and choose properties and security,
you see the Group/user names (accounts?) and each of their
"Permissions". The FOLDERS that I had problems with had a check mark
under the allow/Special Permissions for Administrators(that's me as
there are no other users). The folders that I had not problems with did
NOT have a check mark under the Allow/Special Permissions.

Now, whatever that means - MIC?

Nope, permissions again. Regular permissions are like ordering a #22
Chinese
take-out order. Special permissions sort of lets you pick from columns
A, B, C,
etc...for a better custom fit.

http://support.microsoft.com/kb/308419

XP stuff. Is Vista 64 the same?

Magic stuff. Will Windows 7 fix this?

I don't think so as it is not broken. I assume most people won't be
migrating their data this way.

But I think it its broken. Certainly not from the perspective of
computer science or secure business software, but from the perspective of
the "power user" who got used to doing things in a reasonable way and
gets a little upset when there seems to be no good reason for it to
change on MY computer. The thread above started by Kathy resonates a
little for me. The link you provided above references Windows XP where
none of this was an issue, (at least in my experience) but now with
Vista, we are suddenly not so much masters of our own hardware system.

[...]

BTW FromTheRafters, I really appreciate the discussion and attempts to
educate - hard as it is ;<)

 

[Kerry Brown]

I've seen the Integrity level get messed up. That looks correct. Just to be
sure try this command in an elevated command prompt.

icacls C:\Users\Tom\Favorites /setintegritylevel (OI)(CI)low

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/

c:\Users\Tom\Favorites BUILTIN\AdministratorsF)
Tom-PC\TomI)(OI)(CI)(F)
NT AUTHORITY\SYSTEMI)(OI)(CI)(F)
Mandatory Label\Low Mandatory
LevelOI)(CI)(NW)

OK, now, what does it mean and how does it relate to my problem? Recall,
also, that I have removed the problem folders end entered new folders of
the same name so that I can once again save new URLs to subfolders of
Favorites.

Tom

Can you post the results of icacls for your favorites folder? At a
command prompt type:

icacls c:\username\favorites

or whatever the path to your favorites folder is.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/

Interesting read. As I understand it, there are characteristics to
each object that the casual observer/administrator can't see, let
alone modify/control.

Yes, and access can be denied before any "permissions" are checked.

As I said above, I tried taking ownership, turning off/on protected
mode etc,

I'm not sure turning off protected mode actually removes MIC from
other aspects of the system. It may just run IE elevated - I haven't
looked into it. Protected mode uses MIC not the other way 'round.



Don't think that IE ran elevated with Protected Mode turned off as IE
was still unable to write new shortcuts to the "moved" folders. Recall
that I as Administrator was able to write/copy files to those folders,
but IE was not. Interestingly, turning off UAC "fixes" the problem,
allowing IE to once again write to those "moved" folders.





but was only finally able (2 hours this afternoon) to get control of
my Favorites chain by dragging each folder in my favorites off onto
the desk top, creating a new folder in the Favorites chain of a
similar name and then dragging the shortcut contents of the moved
folders back into the new folders.

I'm guessing that my "user" account in creating new folders made it so
that IE had sufficient "Integrety" (medium) to then write to them as
well.



Sounds like an 'end run' around MIC to me. Glad you got it sorted. I'm
thinking your favorites data became untrusted

Only certain folders - What I did was copy/move files and folders off of
the thumb drive to the new Favorites folder. I trusted the folders I
moved and my problem was to somehow convince Vista to trust them too.
Not sure how Vista would react to dumping a bunch of folder/file data
into a new Vista system. I guess IE or (I haven't tried this) notepad
wouldn't be able write to/modify that data.

due to the way you tried
to migrate it. It regained trust when you manipulated it on the
desktop.

Interesting that the folders were a problem and not the
shortcuts/executables.


Just guessing though.

If you right-click on any folder and choose properties and security,
you see the Group/user names (accounts?) and each of their
"Permissions". The FOLDERS that I had problems with had a check mark
under the allow/Special Permissions for Administrators(that's me as
there are no other users). The folders that I had not problems with
did NOT have a check mark under the Allow/Special Permissions.

Now, whatever that means - MIC?

Nope, permissions again. Regular permissions are like ordering a #22
Chinese
take-out order. Special permissions sort of lets you pick from columns
A, B, C,
etc...for a better custom fit.

http://support.microsoft.com/kb/308419

XP stuff. Is Vista 64 the same?



Magic stuff. Will Windows 7 fix this?

I don't think so as it is not broken. I assume most people won't be
migrating their data this way.

But I think it its broken. Certainly not from the perspective of
computer science or secure business software, but from the perspective
of the "power user" who got used to doing things in a reasonable way and
gets a little upset when there seems to be no good reason for it to
change on MY computer. The thread above started by Kathy resonates a
little for me. The link you provided above references Windows XP where
none of this was an issue, (at least in my experience) but now with
Vista, we are suddenly not so much masters of our own hardware system.

[...]


BTW FromTheRafters, I really appreciate the discussion and attempts to
educate - hard as it is ;<)

 

[Tom]

Hi Kerry;
Recall that the problem was with subfolders of Favorites - folders and
URL shortcuts that had been brought over from a previous Vista64 install via
thumbdrive. A look at the definition of icacls
http://technet.microsoft.com/en-us/library/cc753525.aspx indicates that the
command will change the integrity levels all the way down a folder chain.
(The question I asked you below). Unclear from the definition what the "I"
means in

Tom-PC\TomI)(OI)(CI)(F)
NT AUTHORITY\SYSTEMI)(OI)(CI)(F)

The command you requested I do looks as though it is appropriate as long as
L=Low=Low Mandatory.

but I'm reluctant to run it as the command looks as though it could really
cause some subtle problems. Recall that my issue resulted in:

Unable to Create "internet site"
Unspecified Error

not "access denied". The system was the one that had the problem ie
Internet Explorer as it couldn't write to those directories unless UAC was
turned off and while I as Administrator could delete them and "repair"
problem by deleting and recreating those directories and the dragging the
old contents into the new folders.

So - mixed bag of issues?

Tom

I've seen the Integrity level get messed up. That looks correct. Just to
be sure try this command in an elevated command prompt.

icacls C:\Users\Tom\Favorites /setintegritylevel (OI)(CI)low

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/

c:\Users\Tom\Favorites BUILTIN\AdministratorsF)
Tom-PC\TomI)(OI)(CI)(F)
NT AUTHORITY\SYSTEMI)(OI)(CI)(F)
Mandatory Label\Low Mandatory
LevelOI)(CI)(NW)

OK, now, what does it mean and how does it relate to my problem? Recall,
also, that I have removed the problem folders end entered new folders of
the same name so that I can once again save new URLs to subfolders of
Favorites.

Tom

Can you post the results of icacls for your favorites folder? At a
command prompt type:

icacls c:\username\favorites

or whatever the path to your favorites folder is.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/






Interesting read. As I understand it, there are characteristics to
each object that the casual observer/administrator can't see, let
alone modify/control.

Yes, and access can be denied before any "permissions" are checked.

As I said above, I tried taking ownership, turning off/on protected
mode etc,

I'm not sure turning off protected mode actually removes MIC from
other aspects of the system. It may just run IE elevated - I haven't
looked into it. Protected mode uses MIC not the other way 'round.



Don't think that IE ran elevated with Protected Mode turned off as IE
was still unable to write new shortcuts to the "moved" folders. Recall
that I as Administrator was able to write/copy files to those folders,
but IE was not. Interestingly, turning off UAC "fixes" the problem,
allowing IE to once again write to those "moved" folders.





but was only finally able (2 hours this afternoon) to get control of
my Favorites chain by dragging each folder in my favorites off onto
the desk top, creating a new folder in the Favorites chain of a
similar name and then dragging the shortcut contents of the moved
folders back into the new folders.

I'm guessing that my "user" account in creating new folders made it so
that IE had sufficient "Integrety" (medium) to then write to them as
well.



Sounds like an 'end run' around MIC to me. Glad you got it sorted. I'm
thinking your favorites data became untrusted

Only certain folders - What I did was copy/move files and folders off
of the thumb drive to the new Favorites folder. I trusted the folders
I moved and my problem was to somehow convince Vista to trust them too.
Not sure how Vista would react to dumping a bunch of folder/file data
into a new Vista system. I guess IE or (I haven't tried this) notepad
wouldn't be able write to/modify that data.

due to the way you tried
to migrate it. It regained trust when you manipulated it on the
desktop.

Interesting that the folders were a problem and not the
shortcuts/executables.


Just guessing though.

If you right-click on any folder and choose properties and security,
you see the Group/user names (accounts?) and each of their
"Permissions". The FOLDERS that I had problems with had a check mark
under the allow/Special Permissions for Administrators(that's me as
there are no other users). The folders that I had not problems with
did NOT have a check mark under the Allow/Special Permissions.

Now, whatever that means - MIC?

Nope, permissions again. Regular permissions are like ordering a #22
Chinese
take-out order. Special permissions sort of lets you pick from columns
A, B, C,
etc...for a better custom fit.

http://support.microsoft.com/kb/308419

XP stuff. Is Vista 64 the same?



Magic stuff. Will Windows 7 fix this?

I don't think so as it is not broken. I assume most people won't be
migrating their data this way.

But I think it its broken. Certainly not from the perspective of
computer science or secure business software, but from the perspective
of the "power user" who got used to doing things in a reasonable way
and gets a little upset when there seems to be no good reason for it to
change on MY computer. The thread above started by Kathy resonates a
little for me. The link you provided above references Windows XP where
none of this was an issue, (at least in my experience) but now with
Vista, we are suddenly not so much masters of our own hardware system.

[...]


BTW FromTheRafters, I really appreciate the discussion and attempts to
educate - hard as it is ;<)

 

[Kerry Brown]

That's correct, the command should set the favorites folder and all of the
folders below favorites to an Integrity level of Low. If you're nervous
check the Integrity level of a folder where you can't add or change links.
I'm guessing it's not low. IE in protected mode runs at low Integrity. This
means it can't alter anything in a folder at an Integrity level above low.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/

Hi Kerry;
Recall that the problem was with subfolders of Favorites - folders and
URL shortcuts that had been brought over from a previous Vista64 install
via thumbdrive. A look at the definition of icacls
http://technet.microsoft.com/en-us/library/cc753525.aspx indicates that
the command will change the integrity levels all the way down a folder
chain. (The question I asked you below). Unclear from the definition what
the "I" means in

Tom-PC\TomI)(OI)(CI)(F)
NT AUTHORITY\SYSTEMI)(OI)(CI)(F)

The command you requested I do looks as though it is appropriate as long
as L=Low=Low Mandatory.

but I'm reluctant to run it as the command looks as though it could really
cause some subtle problems. Recall that my issue resulted in:

Unable to Create "internet site"
Unspecified Error

not "access denied". The system was the one that had the problem ie
Internet Explorer as it couldn't write to those directories unless UAC was
turned off and while I as Administrator could delete them and "repair"
problem by deleting and recreating those directories and the dragging the
old contents into the new folders.

So - mixed bag of issues?

Tom

I've seen the Integrity level get messed up. That looks correct. Just to
be sure try this command in an elevated command prompt.

icacls C:\Users\Tom\Favorites /setintegritylevel (OI)(CI)low

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/

c:\Users\Tom\Favorites BUILTIN\AdministratorsF)
Tom-PC\TomI)(OI)(CI)(F)
NT AUTHORITY\SYSTEMI)(OI)(CI)(F)
Mandatory Label\Low Mandatory
LevelOI)(CI)(NW)

OK, now, what does it mean and how does it relate to my problem?
Recall, also, that I have removed the problem folders end entered new
folders of the same name so that I can once again save new URLs to
subfolders of Favorites.

Tom

Can you post the results of icacls for your favorites folder? At a
command prompt type:

icacls c:\username\favorites

or whatever the path to your favorites folder is.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/






Interesting read. As I understand it, there are characteristics to
each object that the casual observer/administrator can't see, let
alone modify/control.

Yes, and access can be denied before any "permissions" are checked.

As I said above, I tried taking ownership, turning off/on protected
mode etc,

I'm not sure turning off protected mode actually removes MIC from
other aspects of the system. It may just run IE elevated - I haven't
looked into it. Protected mode uses MIC not the other way 'round.



Don't think that IE ran elevated with Protected Mode turned off as IE
was still unable to write new shortcuts to the "moved" folders.
Recall that I as Administrator was able to write/copy files to those
folders, but IE was not. Interestingly, turning off UAC "fixes" the
problem, allowing IE to once again write to those "moved" folders.





but was only finally able (2 hours this afternoon) to get control of
my Favorites chain by dragging each folder in my favorites off onto
the desk top, creating a new folder in the Favorites chain of a
similar name and then dragging the shortcut contents of the moved
folders back into the new folders.

I'm guessing that my "user" account in creating new folders made it so
that IE had sufficient "Integrety" (medium) to then write to them as
well.



Sounds like an 'end run' around MIC to me. Glad you got it sorted.
I'm
thinking your favorites data became untrusted

Only certain folders - What I did was copy/move files and folders off
of the thumb drive to the new Favorites folder. I trusted the folders
I moved and my problem was to somehow convince Vista to trust them
too. Not sure how Vista would react to dumping a bunch of folder/file
data into a new Vista system. I guess IE or (I haven't tried this)
notepad wouldn't be able write to/modify that data.

due to the way you tried
to migrate it. It regained trust when you manipulated it on the
desktop.

Interesting that the folders were a problem and not the
shortcuts/executables.


Just guessing though.

If you right-click on any folder and choose properties and security,
you see the Group/user names (accounts?) and each of their
"Permissions". The FOLDERS that I had problems with had a check mark
under the allow/Special Permissions for Administrators(that's me as
there are no other users). The folders that I had not problems with
did NOT have a check mark under the Allow/Special Permissions.

Now, whatever that means - MIC?

Nope, permissions again. Regular permissions are like ordering a #22
Chinese
take-out order. Special permissions sort of lets you pick from
columns A, B, C,
etc...for a better custom fit.

http://support.microsoft.com/kb/308419

XP stuff. Is Vista 64 the same?



Magic stuff. Will Windows 7 fix this?

I don't think so as it is not broken. I assume most people won't be
migrating their data this way.

But I think it its broken. Certainly not from the perspective of
computer science or secure business software, but from the perspective
of the "power user" who got used to doing things in a reasonable way
and gets a little upset when there seems to be no good reason for it
to change on MY computer. The thread above started by Kathy resonates
a little for me. The link you provided above references Windows XP
where none of this was an issue, (at least in my experience) but now
with Vista, we are suddenly not so much masters of our own hardware
system.

[...]


BTW FromTheRafters, I really appreciate the discussion and attempts to
educate - hard as it is ;<)

 

[Tom]

Hi Kerry;
I retrieved one of the problem folders (named Boat) from the trash.
using the icacls command I get:

c:Users\Tom\Desktop\Boat BUILTIN\AdministratorsF)
Tom-PC\TomI)(OI)(CI)(F)
NT AUTHORITY\SYSTEMI)(OI)(CI)(F)
BUILTIN\AdministratorsI)(OI)(CI)(F)
Mandatory Label\Low Mandatory
LevelI)(OI)(CI)(NW)


Seems to be missing the (I) in the last line and has an extra BUILTIN line
compared to the similar execution of icacls of the Favorites (repaired)
below. Compared to the other Users Accounts, the Boat folder has the extra
check mark in the Properties/Security/Group or User name = Administrators
(Tom-PC\Administrators)/Permissions for Administrators = Special
permissions.




So, what does that mean related to the inability of Internet Explorer to
write to a folder like Boat?

Tom

That's correct, the command should set the favorites folder and all of the
folders below favorites to an Integrity level of Low. If you're nervous
check the Integrity level of a folder where you can't add or change links.
I'm guessing it's not low. IE in protected mode runs at low Integrity.
This means it can't alter anything in a folder at an Integrity level above
low.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/

Hi Kerry;
Recall that the problem was with subfolders of Favorites - folders and
URL shortcuts that had been brought over from a previous Vista64 install
via thumbdrive. A look at the definition of icacls
http://technet.microsoft.com/en-us/library/cc753525.aspx indicates that
the command will change the integrity levels all the way down a folder
chain. (The question I asked you below). Unclear from the definition
what the "I" means in

Tom-PC\TomI)(OI)(CI)(F)
NT AUTHORITY\SYSTEMI)(OI)(CI)(F)

The command you requested I do looks as though it is appropriate as long
as L=Low=Low Mandatory.

but I'm reluctant to run it as the command looks as though it could
really cause some subtle problems. Recall that my issue resulted in:

Unable to Create "internet site"
Unspecified Error

not "access denied". The system was the one that had the problem ie
Internet Explorer as it couldn't write to those directories unless UAC
was turned off and while I as Administrator could delete them and
"repair" problem by deleting and recreating those directories and the
dragging the old contents into the new folders.

So - mixed bag of issues?

Tom

I've seen the Integrity level get messed up. That looks correct. Just to
be sure try this command in an elevated command prompt.

icacls C:\Users\Tom\Favorites /setintegritylevel (OI)(CI)low

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/


c:\Users\Tom\Favorites BUILTIN\AdministratorsF)
Tom-PC\TomI)(OI)(CI)(F)
NT AUTHORITY\SYSTEMI)(OI)(CI)(F)
Mandatory Label\Low Mandatory
LevelOI)(CI)(NW)

OK, now, what does it mean and how does it relate to my problem?
Recall, also, that I have removed the problem folders end entered new
folders of the same name so that I can once again save new URLs to
subfolders of Favorites.

Tom

Can you post the results of icacls for your favorites folder? At a
command prompt type:

icacls c:\username\favorites

or whatever the path to your favorites folder is.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/






Interesting read. As I understand it, there are characteristics to
each object that the casual observer/administrator can't see, let
alone modify/control.

Yes, and access can be denied before any "permissions" are checked.

As I said above, I tried taking ownership, turning off/on protected
mode etc,

I'm not sure turning off protected mode actually removes MIC from
other aspects of the system. It may just run IE elevated - I haven't
looked into it. Protected mode uses MIC not the other way 'round.



Don't think that IE ran elevated with Protected Mode turned off as IE
was still unable to write new shortcuts to the "moved" folders.
Recall that I as Administrator was able to write/copy files to those
folders, but IE was not. Interestingly, turning off UAC "fixes" the
problem, allowing IE to once again write to those "moved" folders.





but was only finally able (2 hours this afternoon) to get control
of my Favorites chain by dragging each folder in my favorites off
onto the desk top, creating a new folder in the Favorites chain of
a similar name and then dragging the shortcut contents of the moved
folders back into the new folders.

I'm guessing that my "user" account in creating new folders made it
so that IE had sufficient "Integrety" (medium) to then write to them
as well.



Sounds like an 'end run' around MIC to me. Glad you got it sorted.
I'm
thinking your favorites data became untrusted

Only certain folders - What I did was copy/move files and folders off
of the thumb drive to the new Favorites folder. I trusted the
folders I moved and my problem was to somehow convince Vista to trust
them too. Not sure how Vista would react to dumping a bunch of
folder/file data into a new Vista system. I guess IE or (I haven't
tried this) notepad wouldn't be able write to/modify that data.

due to the way you tried
to migrate it. It regained trust when you manipulated it on the
desktop.

Interesting that the folders were a problem and not the
shortcuts/executables.


Just guessing though.

If you right-click on any folder and choose properties and
security, you see the Group/user names (accounts?) and each of
their "Permissions". The FOLDERS that I had problems with had a
check mark under the allow/Special Permissions for
Administrators(that's me as there are no other users). The folders
that I had not problems with did NOT have a check mark under the
Allow/Special Permissions.

Now, whatever that means - MIC?

Nope, permissions again. Regular permissions are like ordering a #22
Chinese
take-out order. Special permissions sort of lets you pick from
columns A, B, C,
etc...for a better custom fit.

http://support.microsoft.com/kb/308419

XP stuff. Is Vista 64 the same?



Magic stuff. Will Windows 7 fix this?

I don't think so as it is not broken. I assume most people won't be
migrating their data this way.

But I think it its broken. Certainly not from the perspective of
computer science or secure business software, but from the
perspective of the "power user" who got used to doing things in a
reasonable way and gets a little upset when there seems to be no good
reason for it to change on MY computer. The thread above started by
Kathy resonates a little for me. The link you provided above
references Windows XP where none of this was an issue, (at least in
my experience) but now with Vista, we are suddenly not so much
masters of our own hardware system.

[...]


BTW FromTheRafters, I really appreciate the discussion and attempts
to educate - hard as it is ;<)