Why does Protected View stay on even after I click Enable Editing?

Either the file has multiple risk triggers (for example, downloaded + came from Outlook), or the file itself has a corruption flag that Excel will not clear. Right-click the file in Explorer, Properties, and click Unblock if that box is visible.

Sandbox, Not Encryption

Excel Protected View — Not a Password

Q: Is Protected View the same as a password?

No. Protected View is a read-only sandbox mode Excel applies to files it considers risky — typically files downloaded from the internet, email attachments or files from network locations. There is no password involved; the file itself is not encrypted. Click Enable Editing on the yellow banner to exit.

Q: What is Mark of the Web?

Mark of the Web (MOTW) is a Windows alternate-data-stream flag (Zone.Identifier) that marks a file as having come from an untrusted zone — the internet, a downloaded archive, or an email attachment. Excel reads the MOTW and applies Protected View. Unzipping an archive propagates MOTW to extracted files in Windows 11.

Q: How is Protected View different from Excel Safe Mode?

Protected View is a per-file sandbox that Excel enters automatically for risky files. Safe Mode is a troubleshooting mode for Excel itself — started with Ctrl held while launching — which disables add-ins and customisations to diagnose a crashing Excel install. Completely unrelated mechanisms.

Q: My file is password-protected AND Protected View triggers — what order?

Excel evaluates Protected View first, showing the yellow banner. After you click Enable Editing, the password prompt appears. If you have forgotten the password, Protected View is irrelevant — you need to recover the password through another route.

"My Excel file will not open — it is locked." Nine times out of ten, when a user tells us that, the file is perfectly fine and Excel is simply showing Protected View, a read-only sandbox designed to keep malicious macros from running the instant you double-click a downloaded spreadsheet. There is no password on the file. The yellow banner along the top of Excel is advisory, not a lock. Click Enable Editing and the workbook opens normally. This page explains what Protected View is, when it triggers, how to disable it, how Mark of the Web interacts with it, and — importantly — the cases where Protected View is actually hiding genuine file corruption that you need to address differently.

What Protected View Actually Is

Protected View is a sandboxed, read-only mode that Excel (and Word, PowerPoint) applies when it thinks a file might be unsafe. The file opens in a restricted process with no write access, no macro execution, no external data fetching, no embedded-object activation. It looks and feels like the real workbook — you can scroll, read cells, inspect formulas — but you cannot edit or save until you explicitly take the file out of Protected View by clicking Enable Editing.

Microsoft introduced this feature in Office 2010 after a decade of headline-grabbing macro-virus outbreaks (Melissa, ILOVEYOU, LOCKY-via-XLSB, and so on). The idea is that even if you blindly open a malicious attachment, the file cannot do anything destructive until you consciously authorise it. The yellow banner — "PROTECTED VIEW Be careful — files from the Internet can contain viruses. Unless you need to edit, it's safer to stay in Protected View." — is the user-facing surface of the sandbox.

Importantly, the file itself is not modified, not encrypted, and not password-protected. Protected View is purely a client-side policy that Excel applies on open. Send the same file to someone else and they can open it normally as long as their Excel does not also flag it.

The Three Triggers

Excel applies Protected View for exactly three reasons, each toggleable independently:

Files originating from the internet. Windows attaches a "Zone.Identifier" marker to files downloaded via Edge, Chrome, Firefox and most mail clients. Excel reads that marker and sandboxes the file.
Files in potentially unsafe locations. By default Outlook's temporary attachment folder, the Downloads folder on some corporate images, and certain network shares are considered unsafe.
Files from Outlook attachments. Even if the file has no Zone.Identifier, Outlook marks its own attachment directory as untrusted and hands files off to Excel with a separate trust bit set.

A single file can satisfy multiple triggers at once. An .xlsx downloaded from an email attachment is flagged both as "from the internet" and "from Outlook", which means turning off the internet trigger alone is not enough to eliminate the yellow banner. Check the message inside the banner — Excel tells you exactly which rule it applied.

The classic confusion

"I cannot open my Excel file, it keeps saying Protected View — do I need to crack the password?" No. Protected View is not encryption. No math is holding the content away from you. The password-protection entry in the File → Info pane is a separate feature and shows up only if the file actually has a password. If you only see the yellow banner and no password prompt, the file is simply sandboxed. Click Enable Editing.

Mark of the Web (MOTW) in Windows

The plumbing under Protected View's internet trigger is an NTFS alternate data stream called Zone.Identifier. When a browser or mail client saves a file from the internet, Windows automatically writes a small text stream attached to the file:

[ZoneTransfer]
ZoneId=3
ReferrerUrl=https://example.com/report.xlsx
HostUrl=https://example.com/report.xlsx

ZoneId=3 means "internet zone". Zone.Identifier is why a file you download keeps triggering Protected View even after you save it to your local disk, attach it to an email, extract it from a zip, or copy it to a USB stick — Windows carries the stream along.

You can remove MOTW in three ways:

Right-click → Properties → Unblock. A checkbox appears at the bottom of the General tab when a file carries MOTW. Tick it and click OK.
PowerShell: Unblock-File report.xlsx. Works on any file.
Command line: alternate-stream clear: echo. > "report.xlsx:Zone.Identifier". Fiddly but useful in scripts.

Windows 11 version 22H2 and later also propagate MOTW through extracted archives. Files inside a zip downloaded from the web now inherit the parent's Zone.Identifier, which closed a long-standing loophole. If you download a zip and extract it, every .xlsx inside still triggers Protected View until you Unblock them individually or use the Unblock option on the zip before extracting.

Trust Center Settings

For power users who want to tune Protected View rather than bypass it one file at a time, the Trust Center is the control panel:

File → Options → Trust Center → Trust Center Settings… → Protected View

The three checkboxes correspond to the three triggers listed above. Untick them and Excel will stop applying the corresponding rule. Do not untick all three unless you have a strong threat model. The rules exist because malicious Excel files from the internet remain one of the most common initial-access vectors in targeted attacks. Turning off Protected View globally is roughly equivalent to turning off User Account Control — possible, sometimes justified, usually a bad idea.

A middle-ground option is to use Trusted Locations (Trust Center → Trusted Locations) to whitelist specific folders. Files inside a Trusted Location bypass Protected View regardless of their MOTW. The folder C:\Users\YourName\Documents is on the default trusted list for personal files; you can add your company share drive or a specific project folder.

When Protected View Hides Real Corruption

Occasionally the yellow banner and Enable Editing button are the first sign of a genuinely broken file. Symptoms:

You click Enable Editing and Excel crashes instead of exiting Protected View.
The file opens in Protected View but the worksheet appears blank or shows "File failed to load" errors.
Excel says "Excel cannot open the file because the file format or file extension is invalid".
The file is over 50 MB and hangs indefinitely on the transition out of Protected View.

These are not Protected View problems — Protected View is simply where you happen to see the failure. The file itself is damaged or truncated, typically from an incomplete download, a mail server that stripped part of the attachment, or a storage error. The fix is to try File → Open → browse → select the file → click the small arrow next to Open → Open and Repair. Excel will either rebuild the workbook or report what it could salvage. See our dedicated repair Office file guide for the full procedure.

Macro-Enabled Files: .xlsm and Beyond

Protected View becomes more important for files with the .xlsm extension — Excel macro-enabled workbooks — because those files can execute VBA code the moment macros are enabled. Starting in Office 2022 and continuing in 365, Microsoft applies an additional rule: if an .xlsm file has MOTW, Excel blocks macros by default rather than prompting. The message reads "Microsoft has blocked macros from running because the source of this file is untrusted."

Unblock the file (Properties → Unblock) or put it in a Trusted Location, then reopen. If you cannot Unblock because you received the file as a corporate policy restriction, contact your IT department — Group Policy may be enforcing the macro-block behaviour across the organisation, separately from Protected View.

A subtle corollary: an .xlsm file from your own Documents folder, that you created yourself, has no MOTW and opens normally. The first time you email it to a colleague, it gets MOTW on their machine. The same file, two different experiences.

Excel Safe Mode — A Completely Different Thing

Users often confuse Protected View with Safe Mode. They are unrelated. Safe Mode is a troubleshooting mode for Excel itself, not for a specific file. You start it by holding Ctrl while launching Excel, or by running excel.exe /safe from the command line.

Safe Mode disables add-ins, custom templates, the Startup folder XLSTART, saved workbook recovery, and all user customisations. It is used to diagnose why Excel is crashing or behaving oddly: if Excel works fine in Safe Mode but crashes in normal mode, an add-in is the culprit. If Excel crashes in Safe Mode too, the installation itself is damaged and needs Quick Repair via Control Panel → Programs → Microsoft 365 → Change → Quick Repair.

Safe Mode does not apply to files; it applies to Excel. Protected View does not apply to Excel; it applies to specific files. Different layer, different purpose.

Step-by-Step: Get a Legitimate File Out of Protected View

Verify the source. If the file came from a person or system you trust, continue. If not, open it in Protected View, read the contents, and save a clean copy only if needed.
Close Excel. Actions on MOTW happen in Explorer, not in Excel.
Right-click the file → Properties. A checkbox labelled "Unblock" or "Security: This file came from another computer…" appears at the bottom of the General tab if MOTW is present.
Tick Unblock, click OK. Windows clears the Zone.Identifier stream.
Open the file in Excel. The yellow banner should not appear. If it does, the Outlook-attachment rule or the unsafe-location rule is still active. Open Trust Center and confirm the trigger, or move the file to your Documents folder.
If clicking Enable Editing crashes Excel, try Open and Repair. See our repair guide for details.

Protected View for Files Genuinely Locked With a Password

If a file is both downloaded (Protected View active) and password-protected (AES encryption applied), Excel evaluates Protected View first. You see the yellow banner, click Enable Editing, and only then does the password dialog appear. If you know the password, type it and carry on. If you do not know the password, Protected View is irrelevant — you cannot get past the AES encryption regardless of how you got out of the sandbox.

In that scenario the next step is password recovery, either locally with hashcat against an office2john hash or via a service. Our main Excel password recovery guide covers the recovery chances by Excel version and the typical attack strategies we use.

TL;DR

Yellow banner = Protected View = sandbox. Not a password.
Click Enable Editing to exit the sandbox.
Persistent banner = Mark of the Web from download or email. Right-click → Properties → Unblock.
Trust Center has three toggles for per-trigger control. Leave them on unless you really know why.
Safe Mode is for Excel itself, not for a file.
If Enable Editing crashes Excel, the file is corrupt — use Open and Repair.
A password prompt after Enable Editing means the file is actually AES-encrypted. Different problem, separate recovery path.

Frequently Asked Questions

Is Protected View the same as a password?

No. Protected View is a read-only sandbox Excel applies to risky files — downloaded, emailed, or from untrusted network locations. The file is not encrypted; click Enable Editing on the yellow banner to exit.

Why does Protected View stay on after I click Enable Editing?

Either the file has multiple risk triggers simultaneously (downloaded + Outlook attachment) or it carries a Mark of the Web flag that Excel will not clear. Right-click the file, Properties, click Unblock if the box is visible.

What is Mark of the Web?

A Windows alternate-data-stream flag that marks a file as having come from an untrusted zone. Excel reads it and applies Protected View. Windows 11 22H2+ propagates MOTW into extracted archive contents.

How is Protected View different from Excel Safe Mode?

Protected View is a per-file sandbox. Safe Mode is a troubleshooting mode for the Excel application itself, started by holding Ctrl when launching. They address completely different problems.

My file is password-protected AND Protected View triggers — what order?

Excel evaluates Protected View first (yellow banner). After Enable Editing, the password dialog appears. If you have forgotten the password, Protected View is irrelevant — you need to recover the password through a separate route.