Tuesday, February 14, 2006

Use Group Policy Software Restrictions to control LUA

The least-privileged user account (LUA) principle is great - but in some situations very hard to implement. One of these places is my home computer :) shared by all the family members. Running games etc. without admin permissions is almost impossible.

While reading the Applying the Principle of Least Privilege to User Accounts on Windows XP article, I was linked to Browsing the Web and Reading E-mail Safely as an Administrator, Part 2 and discovered something new about the Software Restriction feature of Group Policy. I have been using Software Restriction for a while. I use it for preventing spyware from starting as Software Restrictions is 'stronger' than administrative permissions.
What I discovered, reading the article, was that there is a hidden feature, that can be enabled. This feature called 'Basic User', gives Group Policy control over programs. This means that you can force programs - like Internet Explorer - to start in restricted mode (same as using runas + protect my computer and data from unauthorized program activity) without any user intervention.

Right now, I have implemented it and is giving it a go. Let's see if my kids start to scream...

No comments: