So there was a thread in which we were discussing how the DropRights feature of SBIE works. I had tested it in different ways a year or so ago. It was brought up that it did not work in the manner I thought it did. I insisted it did, and performed a test to make sure, and as I expected it was as I thought. But being the person I am with a nerdmentat, I decided to see if I was right or it was an anomoly, as the other person said he tested it and found different results. So just because we are adventurous souls here, and we as a cumulative body are fairly well versed in our security applications, lets see what you might find in your own tests. The following was performed on XP Pro SP2+. Files tested were to modify c:\boot.ini, modify c:\windows\system32\eula.txt and to create a file in c:\program files\common files\ using notepad.exe So, start notepad.exe in following methods and results of the 3 tests. As Admin - no SBIE - all files are modified As User - no SBIE - denies boot.ini opening, eula.txt is read only, cannot create file in prog files As Admin, using SRP - no SBIE - same as above As Admin - in SBIE - no DR - all files are modified As User - in SBIE - no DR - all files are modified As SRP - in SBIE - no DR - same as above As Admin - in SBIE - yes DR - boot.ini denied - prog files allowed - eula.txt allowed As User - in SBIE - yes DR - same as above As SRP - in SBIE - yes DR - same as above So it appears that objects in c: which have default restrictions are upheld in SBIE with the DR option enabled, yet you can install to prog files or modify items in windir that a stripped token should not be allowed to. It is also interesting to note that if you open boot.ini in SBIE without the DR option enabled, then you enable the DR option, you can still modify boot.ini. If you delete the contents of the box and the virtualized boot.ini file is not present, then you will get denied access. In the past I have tried to install applications to prog files in a forced folder with SRP also on that folder, and with the DR option enabled, the installation failed. I don't fully understand in this case what the DR option is really doing. What do you find? Sul.