Executable content poses a threat of unauthorized access because it contains program code running on the user's machine. Protecting against executable content is difficult because of the inevitable flaws in the implementation of protection mechanisms. This paper introduces a hierarchical protection model to tolerate flaws in protection mechanisms. This model improves both the granularity and the robustness of protection mechanisms by nesting two protection domains: a level-1 protection domain to provide fine-grained access control on executable content, and a level-2 protection domain to act as a fail-safe mechanism. We achieved an efficient implementation of the hierarchical protection model that incorporated the fine-grained protection domains proposed in our previous paper.