I decided not to hijack another thread with my curiosity, so I'm starting a new thread here. How can a Windows user (XP, Vista & Win 7) change/add/remove Mandatory Access Controls (recognizing that the answer may be different for each OS)? I want a tool that allows me to determine exactly what each program will be allowed to do. For instance I could confine my browser so that any malware I encounter can't access system files. It would prevent escalation of privileges. Does Windows allow me to have that kind of fine-grained control? Are the only options extra software that does it for me (like AppGuard)? I'm comparing it to AppArmor, which is Ubuntu's answer to Mandatory Access Controls.