The ‘Temporary Internet Files’ folder (Cache) is, after all, a hotbed and a breeding ground for Virus’s, Trojan Downloaders and other malware downloaded from the internet. Apart from your ‘Windows’ folder, this is one folder where one can expect to find most such malware files. So why is such a ‘hotbed’ being given such protection, when even some Windows dll’s are not accorded such privileges!

Browsing the net can expose one to certain security risks. You could end up with Spyware on your PC or have a Trojan downloader surreptitiously download an unwanted program or you could even find your browser hijacked! By clicking a link, innocently, in an e-mail or even mistyping a web address, can find your browser visiting a ‘hostile’ site.

To mitigate against these threats, IE 7 in Vista runs in Protected Mode. And the Cache is now considered as a virtual folder with the same low privilege as that of the Internet Explorer process itself.

Generally speaking, in Vista, processes run with integrity levels as defined by MIC (Mandatory Integrity Control) Feature. ‘Protected Mode’ Internet Explorer, runs as a ‘Low Privilege’ process. This prevents the Internet Explorer from writing to areas of the file system or the Registry that require a higher privilege!

What happens, is that, Vista creates a set of folders and files, for use with Protected Mode’ Internet Explorer. These folders and files share the same Low Privilege level as Internet Explorer.
These 4 ‘low privilege’ folders, used by IE7 in Vista, in the course of daily operation, are Cache, Cookies, History & Temp.

%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Low
%AppData%\Microsoft\Windows\Cookies\Low
%LocalAppData%\Microsoft\Windows\History\Low
%LocalAppData%\Temp\Low

Vista also creates Virtual Folders to store files that Internet Explorer tries to save in protected locations. So, instead of causing an ‘add-on’ to fail when it tries to write a data file to the Windows folder or Program Files, Vista redirects the write operation to a virtual equivalent.

Thus, the program continues to operate, believing that it wrote the files to the system location; little realizing that the data actually got written in a virtualized hidden folder, that mirrors the actual path and is stored under the ‘Temporary Internet Files’ folder.
In a similar fashion, if there is any attempt to write to the registry, it is redirected to a Low-integrity area of the registry.