Hi, I run safe-admin on a Windows7 x 32 setup, so only signed executables from safe places are allowed to elevate. I have a question about preventing elevation from medium to high rights. Since Win7 has lost the feature to set a software restriction policy as basic user. I run Chromium. This is an unsigned program. Chromium tabs run Low-IL sandboxed. So this is covered, Chromium will never elevate to high even when malware breaks the Low-IL sandbox protection I use Windows Live as e-mail client, successfully added a Medium rights explicite IL through icacls, so that is covered also (on top of that downloaded executables run into the 1806 deny execute limitation). wmplayer.exe is my media player. For some reason I am not allowed to set an explicit medium rights level through icacls. Any one succeeded. As a intermediate result I have added the limited OS virtualisation capabilities of Windows 7 with a RUNASINVOKER registry change (so now when I discover something in C:\Users\[YOUR NAME]\AppData\Local\VirtualStore I know something has tried changing Windows or Program FIles directories). Question a) has some one succesfully added a /Setintegrity level Medium (or Low) to wmplayer.exe? If so how did you do it? b) does anyone know a different trick (I have tried runasil of didier stevens with image file execution forcing it to start into medium level). Seems to work, but slows down startup of wmplayer a lot randomly (while I have no security software). If so please share.