Author: Mats Halfvares, Content Studio development team.

Published: 2008-10-07

Applies to:
  • Internet Explorer 7 and later
  • Content Studio ver. 5.0 and 5.1 running on Vista/Server 2008

Type: Information


You receive the error message "Access is denied" when you try upload a Content Studio document.


This error can occur when you upload a document to a local Content Studio installation where you are authenticated using Windows Authentication (using your current Windows login credentials) and Internet Explorer runs in protected mode (Default for all security zones except for the Trusted sites zone). In Windows Vista / Server 2008 protected mode stops Internet Explorer from accessing almost every location the local file system. When you run Internet Explorer against a web site on the local machine, the local IIS impersonates the user and the protected mode as well. When Content Studio tries to save the uploaded file in the temporary directory using the low level (un-trusted) process, access is denied. This new security feature, introduced in Windows Vista / Server 2008, is called Windows Integrity Mechanism and prohibits unsafe processes from doing unwanted things with your computer.


You have several options to solve this problem.

Use Basic clear text authentication
You can turn off Windows Authentication in the IIS and only use the standard Basic Clear text authentication mechanism. However, this means that user names and passwords are sent in clear text from the Web browser to the server.
Turn off protected mode

If you web site is in the Local Intranet zone (most likely) this can be done relative safely. You can turn off protected mode in the Internet Options dialog. Navigate to the Security tab and select the actual security zone. Uncheck the Enable Protected Mode checkbox and restart Internet Explorer.


Never turn off Procted Mode in the Internet or the Restricted sites zones.

Run Internet Explorer as an administrator

When Internet Explorer runs as an administrator the protected mode is turned off which means that IE runs with normal process integrity and the impersonated process has the right to write to the Content Studio temporary directory.

Lower the integrity mode of the Content Studio temporary folder

You can use the CS 5.2 version of CS5Prepare.exe to lower the integrity level of the Content Studio temporary folder. This means that Windows accepts processes with low-level integrity to access this folder.

Start a new command prompt with administrative privileges and enter the following command:

PATH/CS5Prepare.exe /templow "CS SITE PATH"

PATH refers to the location of CS5Prepare.exe
CS SITE PATH refers to the file system location of the Content Studio web site root folder.

CS5Prepare.exe distributed with versions of Content Studio prior to 5.2 does not include functionality to change the integrity level. In this case you can use the Icacls.exe tool to accomplish the same thing.

This problem is related to Internet Explorer only. Other web browsers, such as Firefox, cannot do a full Windows Integration authentication and probaly does not run i protected mode either.


This problem has been fixed in Content Studio version 5.2.