Researchers at Verizon Business identifies a method through which an attacker can bypass Internet Explorer Protected Mode and gain elevated privileges once he's successfully exploited a bug on the system. The technique enables the attacker to move from a relatively un-privileged level to one with higher privileges, giving him complete access to the logged-in user's account.
The key method through which IE Protected Mode mitigates exploitation of browser bugs is by running many processes in low-integrity mode with very low privileges on the machine. The idea is that even if an attacker is able to exploit a vulnerability and get onto a machine, his code willn't be able to do anything of consequence on the PC. However, not all sites and processes are treated equally in Protected Mode.
"Protected Mode in IE is one of a handful of key security mechanisms that Microsoft has added to Windows in the last few years. It's often described as a sandbox, and is designed to prevent exploitation of a vulnerability in the browser from leading to more persistent compromise of the underlying system."
Here's the full paper: