Change user access one app at a time

By Scott Dunn

In the “last issue, I explained how to use XP without administrator rights to simulate the safety offered by Vista’s User Account Control.

Readers responded with their own tools and tricks to stop programs from gaining full (and therefore risky) access to your system.

Free software lets you limit user access

Some people find it onerous to run Windows as anything but an administrator. For those people, reader Scott Beatty has a suggestion:
  • “My favorite way to avoid running selected programs, such as browsers and e-mail clients, with admin rights is to use the Sysinternals program PsExec. I add the following string to the front of the Target for the icon that launches the program that I want to limit.”

    Subscribe to our Windows Secrets Newsletter - It's Free!

    Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

    PC Drive Maintenance (Excerpt)

    Subscribe and get our monthly bonuses - free!

    Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!



    “c:windowssystem32psexec.exe” -l -d
PsExec is part of the free PsTools collection, which you can download from Microsoft’s TechNet site. (The original developer, Sysinternals, was recently acquired by Microsoft.)

Although it was intended for launching programs on remote computers, you can use the command-line switches Beatty recommends to run any app as a limited user. The -L switch limits the application’s privileges. The -D switch makes the command window disappear as soon as the program is launched.

For example, to implement Beatty’s tip for Internet Explorer, follow these steps:

Step 1. Right-click the icon you use to launch IE (for example, in your Taskbar’s Quick Launch area) and choose Properties.

Step 2. In the default Shortcut tab, click at the beginning of the Target box and insert the command line Beatty shows above, followed by a space. (Your path may differ, depending on where you install PsExec.) When you’re done, the text in the Target box should read something like:

“c:windowssystem32psexec.exe” -l -d “c:Program FilesInternet Exploreriexplore.exe”

Again, your path may differ if you installed Windows somewhere other than c:windows.

Step 3. To make sure you still see the Internet Explorer icon for this shortcut, click the Change Icon button in the dialog box, enter:

“c:Program FilesInternet Exploreriexplore.exe”

in the box at the top, select the icon from the list that’s shown, and click OK.

Step 4. When you’re all done, click OK again to close the program’s Properties dialog.

The next time you launch IE from this shortcut, it will run as if you logged in as a limited user.

Another way to make IE 7 safer

The Aug. 2 story on simulating User Account Control in XP noted that Vista runs Internet Explorer 7 in the safer “protected mode,” which XP does not. Reader Robert Primak, however, points out that there are steps IE 7 users can take to make surfing a little safer:
  • “Scott Dunn could also reference Brian Livingston’s 2006 article, IE 7 Needs Tweaking for Safety. That story provided additional information on security settings.”
Thanks for the reminder, Robert! Brian’s Oct. 26, 2006, piece reports one expert’s recommended settings that make IE 7 a lot less vulnerable — at the expense of some functionality — if you can’t use Firefox, which we consider a safer browser. If you use IE 7 in any version of Windows, this is a must-read.

Lowering your risks in XP Home and W2K

The Aug. 2 story also mentioned using lurmgr.msc to create a new user account. But a reader who signs his mail Winston reminds us:
  • Lusrmgr.msc activates the Local Users and Groups and is only applicable in XP Pro. In XP Home, a new account is created via the User Accounts tool in the Control Panel. The Power User option is also only available in XP Pro.”
Thanks for the corrections! Reader David Shields points out that the tip also works for users of Windows 2000. Although not every step is identical to the procedure in XP Pro, you should be able to perform all of the same tasks, including using Run As to run programs as an administrator.

Readers Beatty, Primak, and Winston will receive gift certificates for a book, CD, or DVD of their choice for sending tips we printed. Send us your tips via the Windows Secrets contact page.

= Paid content

All Windows Secrets articles posted on 2007-08-09: