We've got an application that is deployed throught ClickOnce. When we install it from an URL, this application has the security zone "Internet Zone".
As I mentionned in the title, I'd like to find a way to know the list of privileges granted to an application that runs from the "Internet Zone".
on IE settings, Under the 'Security' tab, the default settings for 'Internet' are 'Medium-high'. If you click the 'Custom level...' button on this page it will give you details of what can and cannot be done at this level.
In addition to the Security Zone settings, applications that run in the Internet Zone should have an Integrity Level of "Low". This provides an additional level of hardening. For example, applications with Low integrity level cannot write to folder locations unless the folder locations also have the Low integrity level.
Low integrity level IE windows have write access only to the Temporary Internet Files\Low folder, History, Cookies, Favorites, and the HKEY_CURRENT_USER\Software\LowRegistry key. This prevents IE from writing anywhere else in the file system or registry - so no more silent installs of keystroke loggers into your Startup folder. And because the desktop runs at medium integrity, they can’t send messages to it - thwarting shatter-style attacks.
Process integrity levels may be viewed with Process Explorer.
Folder integrity levels can be viewed with ICACLS.exe. Integrity levels can also be specified on application binaries, although that may only be appropriate for kiosk scenarios.
More information:
https://blogs.msdn.com/b/cjacks/archive/2006/10/24/modifying-the-mandatory-integrity-level-for-a-securable-object-in-windows-vista.aspx
Mandatory integrity control
https://blogs.technet.com/b/steriley/archive/2006/07/21/442870.aspx