Questions about UAC

First off, thank you, Wilders posters for all of the valuable advice and info. Admittedly, some of it is beyond my understanding, what I do grasp, has been extremely helpful and eye opening. I am super appreciative!

Now, I have read the "Securing Your PC and Data" thread, (thanks again!) but am having issues with the UAC settings. As stated in the "Ruin a malware author's whole day with a Software Restriction Policy! : ) ," SRP group restrictions don't exist in my Windows 7 laptop. It is explained that I should use Parental Controls and whitelist everything that is executable. There is an area in step 5 for x64 users to allow an x86 program path but I can't seem to get there. gpedit.msc doesn't exist and the only option in parental controls is to allow specefic programs. I'm sure I want to enable SOME executables, right? I want to run my ESET, use firefox, and whatever exe's these programs depend on, right? Is there a thread I haven't found that can help me out with this? Anyone utilized the parental controls properly on Windows 7? I've put myself in a bad spot at the moment because my standard, controlled account is now incapable of even clicking submit buttons on IE and running firefox so I have essentially forced myself to browse as admin only for the last few days!

IDEAS??

Juls

 

Take a look at this thread and this one as well. Lucy, Sully and MrBrian are pretty sharp with this stuff.

 

SRP behaviour in 7 should be like previous flavors if you are using it to default deny in a user account. If you are running as Admin and using SRP to "restrict to user" certain processes, then it does not behave as it has in the past, mostly.

There are new registry keys if I remember correctly for win7. If you cannot create SRP via a snap-in, you should be able to create the registry files and still use it.

In a simplistic nutshell, you want at least 2 ALLOW rules, one for c:\program files and one for c:\windows. On 7 and especially on x64, there might also be other areas you want to ALLOW, but I have not messed with it extensively to find out what exactly.

The premise is, as you might already know, to allow program files and windows processes to run unhindered, but denying by default all other processes. You then create exceptions and choose what is allowed to run, usually by path. This applies to users only, not admins. In this manner then your standard account can only run programs installed to c:\windows or c:\program files (and only an admin can install them, so they are to be considered "safe"), and you can only run programs from any other directory IF they have an ALLOW rule in SRP. Admins can run anything because SRP does not apply to them.

HTH.

Sul.