Enjoy safe browsing when running IE as an administrator

Running IE as an Administrator entails the risk of catching something nasty from the Web. Until Windows Vista appears, you may want to run applications in a reduced-privilege context via a Group Policy technology called Software Restriction Policies (SAFER). You can do so with a new utility from Microsoft.

One of the most important changes in the upcoming Windows Vista release is the way it will handle user rights. It will allow you to log in as an administrator without having to run all your applications in that context. That's been a major security issue for far too long, and I'm glad to see that Microsoft has addressed it.

But Vista is still a long way off. Most of us are probably not going to end up using it until 2007 at the earliest. In the meantime, we're stuck with the possibility of catching something nasty from the Web when we run IE as an administrator.

For now, you may want to take advantage of a Group Policy technology called Software Restriction Policies (SAFER). Normally used to block users from running specific applications entirely, it can also be used to run applications in a reduced-privilege context. SAFER allows you to run an application in five modes:

  • Unrestricted: Run normally
  • Normal User: Run as a regular (non-admin) user
  • Constrained: Run as a restricted (guest) user
  • Untrusted: As with Constrained, but with additional restrictions including lack of access to cryptography
  • Disallow: Do not run at all

Michael Howard, a member of Microsoft's Secure Windows Inititative team, has written a utility called SetSAFER that enables and/or disables SAFER policies on applications defined in an included XML file. IE is one of the applications included in the file, so it can be used more or less as is to force IE to run with reduced privileges. Other applications can be added fairly easily. Also included in the page link is a quick .REG file that lets you run IE with reduced rights immediately.

As an aside, one of the much-bandied-about solutions to IE's present state of insecurity is to replace it with another browser, such as Firefox. However, one problem with using Firefox as a catchall replacement for IE is that it is difficult to centrally administer from Group Policy (something many administrators have complained about).

This tip originally appeared on SearchWinSystems.com.

Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!

More information from SearchWinSystems.com


This was first published in March 2006

Dig deeper on Windows Server and Network Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close