Two questions about Windows parental controls

Regarding SRP via the Windows Vista/7 parental controls system...

1. How do I avoid having to log out? By default, Windows warns me that changes to allowed software may not be registered until I log out and back in with my limited account; and in at least a few cases, the warning actually turns out to be correct. Is there any way to apply changes without having to log out every time?

2. How do I block DLL loading without also blocking LNK shortcuts? I've tried setting the TransparentEnabled registry value to 2 for greater safety against DLL injection attacks, but that causes all shortcuts to stop working.

Also a bonus question:

3. How can I enable "full" SRP manually via the registry? i.e. giving limited users execute permissions only from C:\Windows and C:\Program Files, and unlimited execute permissions for administrators. Can this be done without adding a ton of obscure GUIDs and hex values?

(Alas, I'm using Home Premium, so no AppLocker or gpedit/secpol.)

Edit: consider #3 answered thanks to Microsoft: http://technet.microsoft.com/en-us/library/bb457006.aspx Still interested in more info on using parental controls for this purpose, though.

 

wow you really found a needle in a haystack with that MS link, that is a lot to read through.

I think you are forced to log out to apply your settings, and I have heard about hardening parental controls even further as you are mentioning from other posts on this forum. I am sure someone here can help you out on question #2.

How secure is just a basic config of LUA + Parental controls allowing your browser, media player, and pdf reader? Hard or easy to bypass? I had good luck with it on XP without any other security on my system besises EEK and CCE, although I'm not convinced that is enough these days, something like Comodo or Sandboxie must be added to really lock down a system I am thinking. Your thoughts?

 

I am also wondering. I am using Win7 Home Basic now. I set up parental controls. It works for me to without log out. First pop up says "you need to set allow via parenteral". Clicking it and asks admin password. after that a pop up says "allow for this user" and it allows the exe. But i am wondering how safe it is.

I want to set it up as SRP.

 

I have been using Windows Parental Controls as a means of policy restriction on my Win 7 Starter netbook.

What I have noticed is it is a bit more inconvenient than SRP (by default) since SRP allows everything in Program Files to run. On the other hand, with Parental Controls, you have to manually whitelist/check off programs you want the controlled user to be allowed to run specifically.

It works for me, though. I use it in conjunction with EMET. Program restrictions sets up a "default deny" execution environment, and EMET helps mitigate collision at the whitelist due to exploit techniques.

 

I have tried the Software Restriction Policy registry settings from Vista on a Windows 7 machine, and they don't work.

 

The "always run as limited user" setting doesn't work in 7. Everything else works as intended, as far as I can tell.