How to surf the web and read e-mail (and other things) safely in XP & Server 2003

[Mictlantecuhtli]

No, I'm not saying install this and this application. This is an article I came across in Microsoft Security Developer Center.

By default, XP's users have administrative rights. This also means any applications they're running have the same rights as well, so they could do Bad Things if something would go wrong.

But here's something that helps: Windows XP, Server 2003 and later have Software Restriction Policies that can be used to launch applications with less rights to do things. With these restrictions, for example Internet Explorer wouldn't be able to write (or scripts started by IE) to \windows\system32 directory or delete registry keys.

Using these policies requires a small application called DropMyRights.

Setup

Simply copy DropMyRights.exe to a folder. Then for each application you want to run in lower privilege, follow the steps in the next three sections.

Create a Shortcut

Create a shortcut and enter DropMyRights.exe as the target executable, followed by the path to the application you want to execute in lower privilege.

For example:

C:\warez\dropmyrights.exe "c:\program files\internet explorer\iexplore.exe"

Updating the Shortcut Name

Next, update the name of the shortcut to represent the executable target, and not dropmyrights. I usually put the word "(Safer)" after the application name to denote this application will run in a safer security context. "(Non-admin)" is another common addition, as shown in Figure 2.

Setting the Icon and Run Mode

Finally, once the shortcut is created, set the Run option for the shortcut to Minimized and if you want, select a new icon.

The arguments to DropMyRights are:

DropMyRights {path} [N|C|U]

The meanings of the variables are:

* Path is the full path of the application to launch.
* N means run the application as a normal user. This is the default if you provide no argument.
* C means run the application as a constrained user.
* U means run the application as an untrusted user. Chances are, this will cause some applications to fail.

My opinion is use Normal (the default) for most things, and Constrained if you think you'll be browsing hostile or potentially dangerous Web sites.

Read the whole article here:

Browsing the Web and Reading E-mail Safely as an Administrator