Tip

Enjoy safe browsing when running IE as an administrator

One of the most important changes in the upcoming Windows Vista release is the way it will handle user rights. It will allow you to log in as an administrator without having to run all your applications in that context. That's been a major security issue for far too long, and I'm glad to see that Microsoft has addressed it.

But Vista is still a long way off. Most of us are probably not going to end up using it until 2007 at the earliest. In the meantime, we're stuck with the possibility of catching something nasty from the Web when we run IE as an administrator.

For now, you may want to take advantage of a Group Policy technology called Software Restriction Policies (SAFER). Normally used to block users from running specific applications entirely, it can also be used to run applications in a reduced-privilege context. SAFER allows you to run an application in five modes:

  • Unrestricted: Run normally
  • Normal User: Run as a regular (non-admin) user
  • Constrained: Run as a restricted (guest) user
  • Untrusted: As with Constrained, but with additional restrictions including lack of access to cryptography
  • Disallow: Do not run at all

Michael Howard, a member of Microsoft's Secure Windows Inititative team, has written a utility called

    Requires Free Membership to View

SetSAFER that enables and/or disables SAFER policies on applications defined in an included XML file. IE is one of the applications included in the file, so it can be used more or less as is to force IE to run with reduced privileges. Other applications can be added fairly easily. Also included in the page link is a quick .REG file that lets you run IE with reduced rights immediately.

As an aside, one of the much-bandied-about solutions to IE's present state of insecurity is to replace it with another browser, such as Firefox. However, one problem with using Firefox as a catchall replacement for IE is that it is difficult to centrally administer from Group Policy (something many administrators have complained about).

This tip originally appeared on SearchWinSystems.com.

Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!

More information from SearchWinSystems.com


This was first published in March 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.