whitelisting/SRP and automatic updates (Firefox etc.)

I want to set up a white list approach for a Windows installation, for the Standard user account, while still allowing automatic updates of Firefox (and other programs).
I only want to allow all software inside "Program Files" and "Windows" folders.

This in itself is easy to do with SRP, but the problem is that Firefox runs auto-updates from C:\Users... which is accessible to anyone, even non-admins (correct me if I'm wrong here).

Is the only way to make this work to use a certificate rule or would the auto update process perhaps start with admin rights?
What if SRP is not available? Would Parental Controls work?

 

There's Mozilla Maintenance Service
http://support.mozilla.org/en-US/kb/what-mozilla-maintenance-service

I usually decline Mozilla Maintenance Service so I have yet to verify but here's what I've found so far.

Source: https://wiki.mozilla.org/Windows_Service_Silent_Update#Limited_user_accounts

Looking at Bug 711475, I saw this comment 41 by Rainer Meier here. To quote part of what he said:

Hope it helps.

 

If SRP obstructs such an update mechanism, you can launch the program with Admin rights for the purpose of updating, then exit the program to ditch Admin rights. If it's your own daily-driver computer, that's a possible workaround, assuming you know when the updates are required.

Parental Controls will challenge the execution of non-whitelisted executables, so the patch or new version is going to be intercepted when the updater mechanism tries to run it, and you will need to approve it each time.

In the bigger picture, since these types of mechanisms vary as much as they do, your one-stop fix might be to install Secunia PSI and launch that as an Administrator. If PSI is running as Admin, then patch links it gives you ought to also execute with Admin rights, thereby bypassing SRP restrictions (assuming you didn't apply SRP to Admins). But again, this assumes it's your personal daily-driver computer; if it's for your Parental Units or their Parental Units, or others who need a zero-interaction update mechanism, then that's not much help.

 

@safeguy: thanks, I'll check out that Maintenance Service.
Eventually I might also consider another browser. There's a Chrome for Business installer (MSI), which could make this thing simpler.

@mechBgon: yeah, it's for another person, who doesn't know much about computers. So ideally I'd like to make it all work automatically in the background and with a Standard user account only.

 

Secunia PSI does have an auto-updater of its own, which is supposed to patch certain software for you. So that could be worth investigating. Personally, in that scenario I would stick with IE10 if possible. It'll stay up-to-date despite SRP, and it has Protected Mode and runs at low Integrity so there are some extra mitigations at work there.