I hope Wendy read Paul's comments today: "Also, based on feedback from several readers, I'm going to reinstall XP on my main desktop PC, take it off the domain, and try to live with a non-Administrator account on a nonmanaged box. I've been told by a number of people that this process is a lot less painful than it used to be, and I've frankly not tried it in a while, so I'll give it a shot."


When installing software that was unwisely designed to require elevated permissions to run:

Sign on with a local administrator account to change the account you use regularly from a User to an Administrator via Control Panel - Users and Passwords.
Log on to your regular account that now has Administrator privileges.
Run a (free) program such as InstallWatch or InstallRite
http://www.epsilonsquared.com/ to record the changes made to the registry during the istallation.
Install the desired software.
Use regedt32's Security menu - Permissions to give your regular account Full Control to the desired program's registry branches.
You may need to use Windows Explorer to likewise give Full Control to the program's folders.
Set the account back to User via Control Panel - Users and Passwords.

For surfing, you may want to install the latest version of Mozilla Firefox http://mozilla.org/ and set it as the default browser. Only use IE for the sites that were unwisely designed to work only in IE.

Also, give a much needed security zone fix to IE with the free Qwik-Fix utility from PivX Solutions http://www.pivx.com/qwikfix/index.html

C. F. Bernard 6/15/2004 1:56:42 PM

Without calling anyone dead right or dead wrong, Wendy, it ultimately comes down to what things you need to do when you are logged into Windows. The average user does not need to do administrative stuff very often on their system; thus, they should be using a restricted account. Even as a developer, I use a limited account for all my day to day work. I always keep a command prompt window open, which I started with RunAs, using my administrative account. To install setup files or do other things as an admin, I just enter it from this command prompt. Rarely do I actually ever log into Windows using the admin account.

I will say that Paul has a valid point: It is true that many applications are ignorant of rights. This is an unfortunate consequence of the long, wide-spread use of Windows 9x, in which everyone is always an administrator. The concept of different user types and privileges has been around since NT 3.1; it is now up to ISVs to create applications that work properly in these secure environments.

Rather than always run as Admin to appease these applications, run as a limited user and then run only these specific apps as Admin. I mean, if you have an app that needs to connect to the internet, do you disable your entire firewall or do you just open the specific ports to the specific application?

Regarding XP Home Edition's "crippled" limited user account: It is what I use to do all my web surfing, email, and even all of my programming. It doesn't provide the granularity in user permission like XP Pro, because the average home user doesn't need this.

Microsoft has done a lot to encourage developers to focus on "least privilege" when writing their apps, so that they work in limited accounts. Unfortunately though, Microsoft has not been educating home users to use limited accounts for their non-admin activities.

Windows also needs to be like OS X by allowing a limited user to seamlessly switch to the admin account (via password) on demand when accessing an admin feature. Currently, Windows does prompt when you run a program named "Setup.exe", "Install.exe", etc., but it needs to go further.

The NT security model provides a lot of protection when you use a limited account. You don't see Unix/Linux users doing all their work (including web browsing) as root. Yes, it may take some getting used to, but limited accounts really do protect you.

jonathan6/14/2004 3:45:17 PM

I've been surfing with the 'Internet zone' set to High+ for years. When I feel that I must view a site at a lower setting I put it in my Trusted sites. However, my Trusted zone is not the default level, rather it's set at Medium+. I just got tired of all the c**p that scripting and ActiveX enables .. so I surf without it. Scripting is a great thing but only in the hands of responsible people.

stephen6/12/2004 10:08:10 PM

WWW.OPERA.COM no exploits no activex junk no popups why bother with ie????????

Graeme Evans 6/12/2004 9:16:25 AM

There will be no truly secure system ever, and efforts in that direction are mostly waste of time, Sisyphus' effort. If you rely in the protection of your home only on perfect locks and doors, while there's no police in your town, you will be robbed anyways. Microsoft is on the right track taking it to the law enforcement. Same should be done about all that incredible flow of fraud that comes as spam.

Vadim6/12/2004 6:41:19 AM

Those who still use Microsoft Internet Explorer deserve every single virus, trojan, worm, adware, and any other infection that they get. Using IE today is just ludicrous, and anyone who still does is a moron - plain and simple.

By the way, it's high time Microsoft applied for a patent on vulnerabilities and security holes.

Mike6/11/2004 3:45:01 PM

"just think how much less of an impact these executable attachments would have if they were run by a limited user!"

Whopee! Let's limit ourselves to only basic functionality to protect the world from a shoddily-written OS! Wow! Imagine the fun!

Elsewhere, the redoubtable Mr. Thurrott writes, "On a related note, several readers mentioned that they hoped I hadn't been running the laptop with an Administrator-level account. Sadly, on a nonmanaged XP machine today, it isn't realistic to run without Administrator privileges. Unlike UNIX and UNIX-like systems such as Linux and Apple Computer's Mac OS X, Windows isn't very useable with a non-Administrator account, largely because so many applications are ignorant of rights and were written to work only with Administrator-level accounts. This is particularly problematic in a home environment, in which XP Home Edition's crippled Limited Account type, designed for children and less-technical users, is virtually useless. The machines I use are all using XP Professional Edition, of course, but the net effect is the same: Unless and until Microsoft changes the way local user accounts work and gets application and driver writers to sign on board, it's not possible to take this obvious step toward securing an unmanaged Windows system unless you're willing to give up a lot of functionality."

Yeah. Let's give up a lot of functionality. Sounds like a great solution to me. Paul is dead-on in these remarks, and you, "Jonathon", are dead wrong.

wendy6/11/2004 11:09:04 AM

Microsoft suggests setting the browser security level to High. This is brilliant, because it also blocks a whole bunch of really annoying ads. Thank you, Microsoft!

Donn Edwards 6/11/2004 7:42:43 AM

This is a perfect example of why people should do almost everything from a limited Windows account--your Windows and Program Files folders are write-protected, ActiveX controls cant be installed, etc.

Going to windowsupdate.com, or going somewhere to download and install an ActiveX control intentionally, is the only case where you should be using an administrative account to browse the web. Same thing for email--just think how much less of an impact these executable attachments would have if they were run by a limited user! It doesn't mean you're completely safe, but it sure makes things a lot safer.

Unfortunately, it doesn't appear that Microsoft is doing anything with XP2 to educate people to use limited accounts, and that's a real shame.

jonathan6/10/2004 6:47:26 PM

IE is AWESOME!

Name_(required): 6/10/2004 1:47:44 PM