"From a security standpoint, running with your user privileges as low as possible is always best. On the other hand, running as an Administrator is especially bad. But even if you supervise a network and need to do much of your work logged in as an administrator, you still shouldn't run certain dangerous applications—most prominently Internet Explorer—as Administrator.
You can drop the privileges for such applications, though, using a capability that is new in Windows XP and Windows Server 2003, but not exposed in the user interface. A Microsoft Engineer has written a program to expose the facility and also penned an explanation in his article "Browsing the Web and Reading E-mail Safely as an Administrator".
Download and install the DropMyRights.msi file, which will install both the dropmyrights.exe program, and its source code on your system"
Dropmyrights.exe is a command-line utility that takes the program you want run as its first argument. The second argument is 'N,' 'C,' or 'U.' These correspond to Normal user (the default), Constrained user, and Untrusted user. For example:
- DropMyRights.exe "c:\Program Files\Internet Explorer\iexplore.exe" c
runs Internet Explorer as a constrained user. For convenience, you can create a Windows shortcut that executes the command line and give the shortcut a descriptive name like "Internet Explorer (Constrained)." You'll find details about what these user levels mean in the Microsoft article.
Posts
