Problem solve Get help with specific problems with your technologies, process and projects.

Enjoy safe browsing when running IE as an administrator

Running IE as an Administrator entails the risk of catching something nasty from the Web. Until Windows Vista appears, you may want to run applications in a reduced-privilege context via a Group Policy technology called Software Restriction Policies (SAFER). You can do so with a new utility from Microsoft.

One of the most important changes in the upcoming Windows Vista release is the way it will handle user rights....

It will allow you to log in as an administrator without having to run all your applications in that context. That's been a major security issue for far too long, and I'm glad to see that Microsoft has addressed it.

But Vista is still a long way off. Most of us are probably not going to end up using it until 2007 at the earliest. In the meantime, we're stuck with the possibility of catching something nasty from the Web when we run IE as an administrator.

For now, you may want to take advantage of a Group Policy technology called Software Restriction Policies (SAFER). Normally used to block users from running specific applications entirely, it can also be used to run applications in a reduced-privilege context. SAFER allows you to run an application in five modes:

  • Unrestricted: Run normally
  • Normal User: Run as a regular (non-admin) user
  • Constrained: Run as a restricted (guest) user
  • Untrusted: As with Constrained, but with additional restrictions including lack of access to cryptography
  • Disallow: Do not run at all

Michael Howard, a member of Microsoft's Secure Windows Inititative team, has written a utility called SetSAFER that enables and/or disables SAFER policies on applications defined in an included XML file. IE is one of the applications included in the file, so it can be used more or less as is to force IE to run with reduced privileges. Other applications can be added fairly easily. Also included in the page link is a quick .REG file that lets you run IE with reduced rights immediately.

As an aside, one of the much-bandied-about solutions to IE's present state of insecurity is to replace it with another browser, such as Firefox. However, one problem with using Firefox as a catchall replacement for IE is that it is difficult to centrally administer from Group Policy (something many administrators have complained about).

This tip originally appeared on

Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!

More information from

This was last published in March 2006

Dig Deeper on Windows Server and Network Security

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.