There´s an implementation flaw that causes 'RES://' URIs to always be mapped to an 'Internet' security zone context, which allows downloaded files containing the 'Mark-of-the-Web' (MOTW) to reference arbitrary local files in HTML 'Iframes' and further inject script code in them. Local files that do not contain a MOTW should belong to the 'Local' security zone when a particular 'FEATURECONTROL', the 'Local Machine Lockdown' is not enabled for the app hosting IE core, and therefore they should not be accessible from an 'Internet' context. What has been observed is that upon using the same 'RES://' URI referenced in the HTML 'Iframe' element, in a Modal dialog, it is possible to bypass the 'Local' security zone access block via the setting: "Web sites in less privileged web content zone can navigate into this zone" The local security zone has this setting always as "Deny", so naturally, you get an "Access denied" error. because this time the 'RES://' URI will be correctly mapped to the 'Local' security context and run script code with high privileges allowing for arbitrary code execution. Vulnerable versions: v.12 on Windows 7 SP1, 8.1, 10 LTSC 1507, 1511. x86/x64 Full exploit PoC: https://github.com/Edubr2020/WMP_WMDRM_RES_RCE/blob/main/wmp_wmdrm_res_PoC.zip Video demo: https://www.youtube.com/watch?v=QmG9_biXNTs