The benefits of a limited user account and how to easily implement it are discussed in detail in this thread (with a recommendation how to setup a limited account in post #34). However, you can make your system even safer if you also apply a Software Restriction Policy (SRP) which is very well explained on http://www.mechbgon.com/srp/ . There's only one disadvantage: SRP is normally only available in Windows XP Professional (and Vista Business and Ultimate). Now the good news: SRP can also be implemented in XP Home! After doing some research I found a pretty comfortable solution how to do it. It's a small script called pcwGPinst written by the staff of the German computer magazine PCWELT which is available for download here. Here's how to use it: You need to have Service Pack 2. Download it from the Windows update site. Since the file name differs depending on the language of your system you should rename it to xpsp2.exe (this ensures that it will be recognized by the script). Execute pcwGPInst.z.exe. (You have to be logged on as admin!) It will extract one file called pcwGPInst.cmd. This is just a text file, and you can open it with an editor to see what it does. Copy pcwGPInst.cmd to the folder where you saved xpsp2.exe and execute it. (Note: There are some short messages in German which should be self-explanatory. You might also consider to temporarily disable your HIPS since you will have a lot of popups...) The script will extract SP2 to a temporary folder. It will create a sub-folder GroupPolicy (containing some more sub-sub-folders) in c:\windows\system32. It will extract the needed files (available in XP Pro but missing in XP Home) from SP2 to the new subfolders just created. As a last step it will register these files. Here I ran into a problem: I got an error message that ieaksie.dll could not be registered. If this happens to you, too, you should do the following: Open a command prompt window and input regsvr32 ieaksie.dll /s Repeat this for the following files: gpedit.dll gptext.dll appmgr.dll fdeploy.dll certmgr.dll ipsecsnp.dll wsecedit.dll (just press the up arrow and overwrite ieaksie with the other file names respectively) That's it - while you're still in the command prompt window, start gpedit.msc and follow exactly the steps described on http://www.mechbgon.com/srp/ Note: In order to adjust the script to an English language version of XP you might consider to replace 4 German expressions with their English correspondents. For details see posts #17 and #18. Please make sure that you understand the logic of this approach and how it makes your system much safer: As a limited user you have no write permission to the c:\windows and c:\Program Files folders and to the biggest part of the registry including most of the nearly 50 autostart locations available in Windows XP. This means that any malware executed in the context of your limited account has no chance to delete or modify any files and settings in these folders, install drivers etc. Malware is simply unable to seriously compromise your system due to missing write permissions! And that's the big majority of malware - they don't run/can't install themselves without admin rights. However, this protection is not perfect. A limited user has write permission to his/her c:\Documents and Settings\<user> folder and to some autostart locations I listed here. This means that user-mode malware, that doesn't need admin rights, can delete your precious documents or install themselves in one of these autostarts (e.g. a keylogger). But here our SRP comes into play: All users (except administrators) are only allowed to execute applications in c:\Windows and c:\Program Files, i.e. only software you deliberately installed from sources you deemed trustworthy. Any other software/malware you get, e.g., with an email attachment and doubleclick by mistake simply won't be executed! Your documents and autostarts are safe against unintentional changes. Questions & answers: I created a folder c:\Downloads where I save all my setup/install files. My limited user account has write permission for that folder. Do I have to create a New Path Rule for it as described on http://www.mechbgon.com/srp/ ? No. In order to install any software you need admin rights anyhow since you don't have write permission, e.g., for the c:\Program Files folder. And as admin you can execute everything everywhere as the SRP is only valid for non-admin users. The easiest way as a limited user is to use SuRun. Start Explorer (I suggest to click Start->All Programs->Accessories and drag the Explorer entry to your Quick Launch to have it always readily available) or any other file manager like Total Commander or FreeCommander with SuRun, navigate to c:\Downloads (or any other folder) and start any application you want - now with admin rights. Do I need a New Path Rule for my CRROM drive? It depends. If you install software from CD at times, the answer to the previous question applies. However, if you want to play games on CD within your limited user account it might be necessary to create a New Path Rule. Does this approach also protect against malicious scripts? Please read this thread. I gave an answer in post #24. I understand that the combination of LUA and SRP offers strong protection. But will I still need a HIPS? Good question, indeed. To begin with, most parts of your system are perfectly protected against malware since it won't be executed at all, and if it would, it wouldn't have the permission to seriously harm your computer. And any software you deliberately install is from a trustworthy source - you wouldn't install software you don't trust, would you? But wouldn't you allow trusted software in your HIPS? I guess most of us would simply select install mode in such cases: You wouldn't get any popups - and your HIPS would be actually useless. But what about the famous Sony rootkit? Yes, a HIPS would have protected against it, provided that you didn't select install mode and you were able to analyse and evaluate every file installed and every registry entry/change made. Are you really sure you would have done that? I bet that most of us would have mechanically pressed the "Allow" button of our HIPS after popup #10 at the latest. I mean, Sony was deemed a trustworthy company at that time after all ... Conclusion: A HIPS doesn't hurt but the additional security it provides is negligible in a LUA/SRP environment. Do I still need an anti-virus? Another good question I hesitate to say: No, you don't need it, although it will be on your system without having anything to do 99.99% of the time. However, there are 2 situations where an AV might (!) help: The first one is a Sony Rootkit-like one - you wrongly think that you are installing software from a trustworthy source. The second one are scripts of category #2 as Rmus put it here. If you doubleclick, e.g., a .doc or .xls file that contains a malicious macro and your macro protection in Word or Excel is disabled you might run into problems although the consequences are limited in a LUA environment. There is at least a chance that your AV will issue a warning in such situations although the detection rate for macro and script viruses were rather bad in the Retrospective test on http://av-comparatives.org . And keep your applications up-to-date since even simple image viewers can be affected by buffer overflows. I suggest to use UpdateStar. http://www.mechbgon.com/srp/ is really a great site. Do you also agree with what mech is saying about Internet Explorer and alternative browsers? No, I don't But that's another story discussed in many other threads here.