With the recent revelation that all versions of Internet Explorer are vulnerable to a highly dangerous exploit, Enhanced Protected Mode (EPM) has become a more prominent security feature for Windows 8.x. Microsoft has promoted several workarounds to help mitigate the bug, and just recently simplified the list of workarounds, but it's come to light that running IE10 or IE11 with EPM enabled is the quickest, easiest solution of all.
EPM provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, EPM also limits the locations Internet Explorer can read from in the registry and the file system.
You can use GPO to configure EPM for the organization, enabling you to enforce the settings centrally.
If the policy is enabled, EPM will be turned on and any zone that has Protected Mode enabled will use EPM and users will not be able to disable EPM on their own. If the policy is disabled EPM will be turned off. Disabling it, though, will force Internet Explorer zones that have Protected Mode enabled to use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista. If you choose not to configure the policy at all users will be able to turn on or turn off EPM on the Advanced tab of the Internet Options dialog in Internet Explorer on their own.
Location in GPMC: Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Affected registry settings:
For Machine (Computer Configuration) level changes: HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Isolation
For User (User Configuration) level changes: HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Isolation
Supported for: Internet Explorer 10.0 or later