Loading an .xbap file (XAML Browser Application) from IE causes the browser to hand it off to whatever application handles the .htm extension — which in practice means the user’s default browser. That default browser opens at Medium integrity level rather than Low, instantly bypassing IE’s Protected Mode without any additional steps.
<a href="xbap.xbap">Click to open your default browser</a>The link can also be triggered programmatically with .click(), so no explicit user action beyond page load is strictly required. The resulting process runs at a higher integrity level than the Protected Mode IE tab it originated from, which undermines the sandbox boundary. It may not be a severe standalone issue, but the integrity-level elevation is the kind of primitive that can feed into larger chains. Tested on Win8 IE10.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.