BUILTIN\Users
groups read access is not protected with read-restrictions. Other folders such as the
per-user profile folder that don't grant such an access are protected. Note that many user-account
protected network shares don't grant access to everyone. So, again, those would be protected.
3.4.2 User experience
There is no UI to turn read-restrictions on or off: this feature is an enhancement to the existing Protected
Mode feature and is always enabled as part of it.
Read-warning dialogs
Like Protected Mode generally, the new behavior should be transparent to users except for new
confirmation dialogs that may now appear under certain scenarios. A few confirmation dialogs are
necessary for workflows that required Reader in Protected Mode to read arbitrary files. These files include
files that were neither explicitly opened by the user nor required by Reader to store its preferences and so
weren't white-listed for access. In such cases, the broker is forced to check with the user before granting
the Protected Mode sandbox read access to those files. As the feature evolves in the course of A11
development, it is expected that users will rarely encounter situations where they will see these dialogs.
A confirmation dialog is shown for the following cases:
• When the user clicks a link in a PDF that points to another PDF on the user's disk ("interdoc PDF
link"). Note that this is not applicable for internet links (where a different dialog is already shown),
but only to links to PDFs on the local disk.
• When the PDF has a multimedia annotation references a media file kept at a read-restricted location
on the user's disk or a network share.
• When a PDF tries to access data from an FDF file kept at a read-restricted location on the user's
disk or a network share.
• When an FDF or XFDF is opened and it tries to reference a PDF file kept at a read-restricted
location on the user's disk or a network share.
• When the user tries to open a review from the review tracker.
Note that these are restricted to access to the user's disk or network share, not an HTTP(S) URL. So
these dialogs almost never appear in the browser. For example, in a browser situation, an FDF or PDF in
cases 3 or 4 above will be on a HTTP(S) server, and so will not be impacted. Also, most "interdoc PDF
links" in the web will be to PDF on the web, not the user's machine or network share.
Search-warning dialogs
Finally, it is impossible to securely support the index search and Reader's desktop search features via
Edit > Advanced Search > Show more options with read-restrictions enabled
. So if the user tries to
use any of the following features, a warning is thrown: "The operation you are trying to perform potentially
requires read access to your drives. Do you want to allow this operation?".
If the user allows the operation, read-restrictions are temporarily disabled while that Reader process is
running. In this case, Protected Mode is ON, but it will temporarily grant the sandbox read access to all of
the user's files. Once the user restarts the Reader process, Protected Mode read-restrictions will again be
in place. The idea is that rather than having the user turn Protected Mode completely off to use these
index-search or desktop-search features, it is better to turn off just read-restrictions temporarily.
The dialog appears in the following scenarios:
1. When the user tries to open an index (PDX) file.
2. When the user tries to search inside an already selected or shelved index, inside a folder, or in an
index linked to a PDF.
3.4.3 Policy rules
Section 3 Protected Mode
Application Security Guide
Page 14
Section 3 Protected Mode
