If you’ve been reading my “non-admin” posts, by now I assume you have seen the Windows XP “Run As” dialog. (If you haven’t, please read this post first: "RunAs" basic (and intermediate) topics.)
The initial settings when the “Run As” dialog opens are to run the program as the current user, with an option selected to “Protect my computer and data from unauthorized program activity”. It further states that “This option can prevent computer viruses from harming your computer or personal data, but selecting it might cause the program to function improperly.” What does that mean? How do you decide whether to use it? As far as I know, there hasn’t been any accurate public documentation about the “protect my computer” option, let alone any guidance as to when it might or might not work for any particular application.
The net effects
The bottom line is that the app runs with a “restricted token” that basically has these net effects:
These are very powerful restrictions, particularly those around the registry and profile folders. It’s probably a safe bet that most apps do not expect “access denied” errors when writing to HKCU or the user’s temp or MyDocs folders, and probably do not handle such errors gracefully. When I tried to use Outlook Express with “protect my computer”, it failed to start up at all. This isn’t entirely surprising – all its data is in the user’s profile folder hierarchy.
The only thing I ever really use with “protect my computer” is Internet Explorer when I want to really constrain a particular site and not allow it to write to my hard drive at all. (Note that this is only an additional element of defense in depth, not an entire defense.) IE works fairly well this way, but with some odd and annoying problems:
That’s about all the “guidance” I’ve got as far as what to expect if you use the “protect my computer” option. If anyone really cares, I could write a lot more about the geeky details around restricted tokens, deny-only SIDs, how access checks are performed against restricted tokens, which groups get marked deny-only with “protect my computer”, etc. But maybe Larry Osterman will save me the trouble and follow up on some of his recent security posts (e.g., What is this thing called, SID?)