Does IE object type overflow work only on an Administrator account?

Does IE object type overflow work only on an Administrator account?

I'm puzzled by the following behaviour on a default install of WindowsXP Pro (IE 6.0):

Using html page containing: <object type =

"[/x64]AAAAAAAAAAAAAAAAAA">whatever

As a user with Administrator priveleges with default security settings, IE crashes (buffer is overflowed). As a user with Administrator priveleges with IE security settings set to "high", IE still crashes.

As a user with limited priveleges, the page loads fine and "whatever" appears on the screen. IE doesn't crash. The urlmon function causing the buffer overflow is never called by IE. (the breakpoint doesn't break) In this case, changing IE's security settings to "low" doesn't make a difference.

Does IE treat a user with limited priveleges differently than with Administrator priveleges? Am I simply missing a setting somewhere?

Any words of wisdom?

Thanks,
Kathy

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek