Web Surfing, Reading Email as an Administrator Considered Dangerous

If you surf as an administrator checkout the following two web pages. I finally implemented the scheme on my WinXP Pro SP2 computer by following the Local Security Policy changes recommended in the second web page article, and verifying that the permissions had been dropped to that of a Normal User with Process Explorer.

If you just follow the 1st web pages instructions you will not succeed until you have changed the security policies in your registry as advised in the 2nd web page - and rebooted! Remember to reboot, because the changes do not take place dynamically.

The second webpage contains recommendations on applying the modifications to other Internet facing applications - highly recommended!

Download the following two items referenced on the web pages:
DropMyRights.msi
SetSafer.msi

Browsing the Web and Reading E-mail Safely as an Administrator
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure11152004.asp

Browsing the Web and Reading E-mail Safely as an Administrator, Part 2
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/safer.asp

You probably will need Process Explorer to check the process permissions on your browser process from: http://www.sysinternals.com/ProcessesAndThreadsUtilities.html

-- Tom

 

I have a free tool that does the opposite:
Grant administrator rights.
http://www.lansweeper.com/ls/lsrunasold.aspx
I have lsrunas, lsrunase, supercrypt and makeadm