I am not sure this is the right place to post this, but I guess it is more security than software. Anyway, say you have a fresh default install of XP Pro, where your the admin account and there is only 1 user. This is what I have been working on to simplify things as much as possible for noobs. 1. Create an 'other' admin with a very strong password. This account is never planned on being used, just there for the Uname/Pword for SuRun. 2. Create a batch file with this as it's content test.bat: Code: secedit.exe /analyze /db c:\db2.sdb /cfg "c:\windows\security\templates\setup security.inf" pause secedit.exe /configure /db c:\db2.sdb /cfg "c:\testpol.inf" /overwrite /log c:\db2.log 3. Create an .inf file called testpol.inf in c: (c:\testpol.inf) with the following content: 5. Remove main account from admin group, leaving in users group only. Reboot. Log into main account again. 6. Try to write file or delete from Windows or root. No can do. User policy dictates this. However, try this in Program files and it works. So, I make an easy way to (sort of) pull in the default settings from the setup security template, then change a few things like give the Users group modify permissions to program files (and also the main users documents too). This now keeps the windows data from standard user messing with, yet allows more loose control to add programs. Next add SuRun, and now you can do all the items with the Secondary Login that were not possible without. I have found (and I am no expert, just like to tinker) that the Security Setup.inf template knows of everything in a default installation. So any directory like maybe c:\adobe will not be 'restricted' because it is not specifically stated so. At least it appears to be that way. Maybe someone can state experience with why the registry is unlocked at least in HKLM/Software, yet mmc consoles are not allowed (in user mode). I find that to be strange that the registry is open. Anyway, there is a lot to tweak in this method. I have made a simple method to quickly fill out a few different .ini files with ones preferences and then roll them into the custom .inf file. Does anyone see this as a flawed method? And why bother with this? Because using the mmc console is dreadfully slow. I seek to make easier method. And because I know many who do not use LUA and would not wish to go through the pain involved of learning, lol. And the top reason, LUA is so restrictive that many complaints. But this way more almost normal type events can happen because Program Files, maybe most common used to write to directory is more open. Sul.