comodo sandbox elevating privelege

I have used the latest version of comodo firewall and it works perfectly with my system and no compatibility problems. I use it because i think it's the best firewall as of now, and it's very easy to use and configure, by the way i'm an average computer user. I always use a limited account in my windows xp, as my first line of defense in windows security, and i also use surun if i have an application that requires adminitrative privilege. What i notice when i used comodo firewall, is that i can use an application in my limited account that requires an administrator privilege by simply putting these applications in "always sandbox" option in defense+ tab, even though i do not elevate this applications using surun. Is this normal in comodo sandox to elevate an application in a limited account. Thanks

 

Did you run it as an administrator after entering your password? Check the process with task manager, then show processes from all users (admin/service level) to see if it's really elevated.

 

Nope, i did not run it as an administrator. To verify my observation, i uninstall surun in my windows xp, so there's no reason for my applications that needs admin rights to run under limited account. After i uninstall surun, i try to launched my applications that needs admin rights in my limited account, and as expected, of course it will not run because i uninstalled surun in my system. But, when i start to put those applications that needs admin rights under comodo sandbox(manual), to be specific, when i put those applications that needs admin rights in "always sandbox" options with limited restriction level in defense+ tab, under computer securiy policy, i can now use those applications without a problem under limited account, even though i already uninstalled surun in my system. My real question is why i can use these applications that needs admin rights under limited account, without surun installed, by simply putting it in comodo sandbox(manual) with limited restriction level?

 

The way I see it is that when running within the manual sandbox you're not actually accessing the "real" system just a virtualised copy,therefore there's no need for the program itself to have Admin privileges as long as CIS has the required rights to redirect any calls.