Improved IE security in XP run Admin

For users running XP as Administrator, who want to improve
IE's security, the Internet Explorer 7 Desktop Security Guide
http://www.microsoft.com/downloads/d...DisplayLang=en
suggests using DropMyRights:
http://msdn.microsoft.com/en-us/library/ms972827.aspx
DropMyRights can launch IE without your administrative rights.

Download DropMyRights.msi from that last link above and
install it. The instructions at the link might be confusing.
Here is an alternative set of instructions:

navigate to the DropMyRights directory
create a shortcut to DropMyRights.exe in its directory,
drag the shorcut to the desktop, then right click it.

Properties > Shortcut > Target >
add the path [and variable] to the controlled program
for example, after
"C:\Documents and Settings\HP_Administrator\My
Documents\MSDN\DropMyRights\DropMyRights.exe"
browse to "C:\Program Files\Internet Explorer
copy, paste and type at the end \iexplore.exe"
then add a variable if not /N (default)
to get a line such as this as the Target:
"C:\Documents and Settings\HP_Administrator\My
Documents\MSDN\DropMyRights\DropMyRights.exe" "C:\Program Files\Internet
Explorer\iexplore.exe" /C

Properties > Shortcut > Run > select Minimized

Properties > Shortcut > Change Icon > pick an icon

Properties > General > change the name
"IE (non-admin)" for example

The command parameters to DropMyRights are:
DropMyRights {path} [N|C|U]

The meanings of the variables are:
Path is the full path of the application to launch.
N means run the application as a normal user.
This is the default if you provide no argument.
C means run the application as a constrained user.
U means run the application as an untrusted user.

IE7 is very accepting of being run /U - untrusted.

Outlook Express is intolerant of DropMyRights. It destroys
OE's ability to send messages. A reboot fixes this until it's
used again to launch Outlook Express - then it happens again,
so don't use DropMyRights for OE unless you only receive. .

It ought to work with Internet applications besides IE,
but I've tried it only with IE and OE. It works with IE.

"Michael Jennings" <metarhyme@gmail.com> wrote in message
news:%2315wweAYJHA.5520@TK2MSFTNGP02.phx.gbl...
> For users running XP as Administrator,

Which of course is very bad practice, and NOT to be recommended....

--
Asking a question?
Please tell us the version of the application you are asking about,
your OS, Service Pack level
and the FULL contents of any error message(s)

A better and easier method is to use Sysinternals PsExec utility and launch it
with a shortcut and StartX. The shortcut command would be:

C:\Path to\STARTX.EXE "C:\Path to\psexec.exe" -l -d "C:\Program Files\Internet Explorer\iexplore.exe"

StartX 1.06 242 KB (Freeware)
Info: http://www.naughter.com/startx.html
Download: http://www.naughter.com/download/startx.zip

PsExec 1.94 1 MB (Freeware)
Info: http://technet.microsoft.com/en-ca/s.../bb897553.aspx
Download: http://download.sysinternals.com/Files/PsTools.zip


ju.c


"Michael Jennings" <metarhyme@gmail.com> wrote in message news:#15wweAYJHA.5520@TK2MSFTNGP02.phx.gbl...
> For users running XP as Administrator, who want to improve
> IE's security, the Internet Explorer 7 Desktop Security Guide
> http://www.microsoft.com/downloads/d...DisplayLang=en
> suggests using DropMyRights:
> http://msdn.microsoft.com/en-us/library/ms972827.aspx
> DropMyRights can launch IE without your administrative rights.
>
> Download DropMyRights.msi from that last link above and
> install it. The instructions at the link might be confusing.
> Here is an alternative set of instructions:
>
> navigate to the DropMyRights directory
> create a shortcut to DropMyRights.exe in its directory,
> drag the shorcut to the desktop, then right click it.
>
> Properties > Shortcut > Target >
> add the path [and variable] to the controlled program
> for example, after
> "C:\Documents and Settings\HP_Administrator\My
> Documents\MSDN\DropMyRights\DropMyRights.exe"
> browse to "C:\Program Files\Internet Explorer
> copy, paste and type at the end \iexplore.exe"
> then add a variable if not /N (default)
> to get a line such as this as the Target:
> "C:\Documents and Settings\HP_Administrator\My
> Documents\MSDN\DropMyRights\DropMyRights.exe" "C:\Program Files\Internet
> Explorer\iexplore.exe" /C
>
> Properties > Shortcut > Run > select Minimized
>
> Properties > Shortcut > Change Icon > pick an icon
>
> Properties > General > change the name
> "IE (non-admin)" for example
>
> The command parameters to DropMyRights are:
> DropMyRights {path} [N|C|U]
>
> The meanings of the variables are:
> Path is the full path of the application to launch.
> N means run the application as a normal user.
> This is the default if you provide no argument.
> C means run the application as a constrained user.
> U means run the application as an untrusted user.
>
> IE7 is very accepting of being run /U - untrusted.
>
> Outlook Express is intolerant of DropMyRights. It destroys
> OE's ability to send messages. A reboot fixes this until it's
> used again to launch Outlook Express - then it happens again,
> so don't use DropMyRights for OE unless you only receive. .
>
> It ought to work with Internet applications besides IE,
> but I've tried it only with IE and OE. It works with IE.
>
>

Please don't delete previous posts, thanks.


"Gordon" <gordonbparker@yahoo.com.invalid> wrote in message news:eBVPPGCYJHA.4380@TK2MSFTNGP06.phx.gbl...
> "Michael Jennings" <metarhyme@gmail.com> wrote in message
> news:%2315wweAYJHA.5520@TK2MSFTNGP02.phx.gbl...
>> For users running XP as Administrator,
>
> Which of course is very bad practice, and NOT to be recommended....
>
> --
> Asking a question?
> Please tell us the version of the application you are asking about,
> your OS, Service Pack level
> and the FULL contents of any error message(s)
>

"ju.c" <bibidybubidyboop@mailnator.com> wrote in message
news:ujOBlXDYJHA.1336@TK2MSFTNGP02.phx.gbl...
> Please don't delete previous posts, thanks.
>
>


I didn't. I was replying to your first sentence.

Read these:

http://www.dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html


--
Asking a question?
Please tell us the version of the application you are asking about,
your OS, Service Pack level
and the FULL contents of any error message(s)

Michael Jennings wrote:

> For users running XP as Administrator, who want to improve
> IE's security, the Internet Explorer 7 Desktop Security Guide
> http://www.microsoft.com/downloads/d...DisplayLang=en
> suggests using DropMyRights:
> http://msdn.microsoft.com/en-us/library/ms972827.aspx
> DropMyRights can launch IE without your administrative rights.
>
> Download DropMyRights.msi from that last link above and
> install it. The instructions at the link might be confusing.
> Here is an alternative set of instructions:
>
> navigate to the DropMyRights directory
> create a shortcut to DropMyRights.exe in its directory,
> drag the shorcut to the desktop, then right click it.
>
> Properties > Shortcut > Target >
> add the path [and variable] to the controlled program
> for example, after
> "C:\Documents and Settings\HP_Administrator\My
> Documents\MSDN\DropMyRights\DropMyRights.exe"
> browse to "C:\Program Files\Internet Explorer
> copy, paste and type at the end \iexplore.exe"
> then add a variable if not /N (default)
> to get a line such as this as the Target:
> "C:\Documents and Settings\HP_Administrator\My
> Documents\MSDN\DropMyRights\DropMyRights.exe" "C:\Program Files\Internet
> Explorer\iexplore.exe" /C
>
> Properties > Shortcut > Run > select Minimized
>
> Properties > Shortcut > Change Icon > pick an icon
>
> Properties > General > change the name
> "IE (non-admin)" for example
>
> The command parameters to DropMyRights are:
> DropMyRights {path} [N|C|U]
>
> The meanings of the variables are:
> Path is the full path of the application to launch.
> N means run the application as a normal user.
> This is the default if you provide no argument.
> C means run the application as a constrained user.
> U means run the application as an untrusted user.
>
> IE7 is very accepting of being run /U - untrusted.
>
> Outlook Express is intolerant of DropMyRights. It destroys
> OE's ability to send messages. A reboot fixes this until it's
> used again to launch Outlook Express - then it happens again,
> so don't use DropMyRights for OE unless you only receive. .
>
> It ought to work with Internet applications besides IE,
> but I've tried it only with IE and OE. It works with IE.

Rather than use DropMyRights, you can also use SysInternals' psexec
utility. The following is the command in a shortcut that I use for
loading IE under a LUA (limited user account) token:

C:\Tools\SysInternals\psexec.exe -abovenormal -l -d "C:\Program
Files\Internet Explorer\iexplore.exe"

I like psexec because it also lets me run the web browser with increased
priority. Normally when I am browsing, that's my primary activity so I
want to make it snappier. -l is for the LUA token (reduced privileges)
and -d is "don't wait for process to terminate" (so the shell used to
run psexec gets closed as soon as it load iexplorer.exe). The
"-abovenormal" parameter is for increased priority.

The problem with using either DropMyRights or psexec (with its -l
parameter) is that it only applies when you start the web browser using
those utilities (as the child processes use the LUA of the parent).
That won't add the restrictions to provide protection when the web
browser is started as a child process of some other applications. There
are LOTS of applications that will start IE as a child process. If you
want to throttle the permissions on all instances of your web browser no
matter how it gets started or by what, look into something like GesWall.
I used it for awhile but eventually removed it as starting IE manually
using the shortcut with psexec (and its -l parameter) was sufficient for
me since I only use it when visiting unknown or untrusted sites.
Running IE always in an isolated mode (in GeSWall) or with restrictions
under a LUA (using psexec, DropMyRights, or the protected mode available
in Online Armor firewall or other security products) just got in my way
too much. GeSWall runs the web browser in its own restrictive isolated
mode so it is more protective than simply using a LUA token on a child
process. Sandboxing would be another choice, like using Sandboxie. Too
bad its free version turns into once-a-day nagware after the 30-day
trial (and why I stopped using it). Virtual machines go even further
but are somewhat of a hassle to start the VM just to browse a site (and
waste too much memory to leave the VM running all the time).

Although he's rude and inattentive, Gordon's method of running
IE with limited rights is simple and best - log on as a limited user.

Running as Admin means the computer won't say, "you can't
do that," less frequently. Lots of people run XP as Admin - it's
a bit like driving without wearing a seat belt - more comfortable.

If you want to be able to view the contents of the SAM and
SECURITY keys and control remote computers as well as
limiting IE's rights, then PsExec is clearly better. Mark Russinovich's
article is locked to people who have not paid to access it in
Windows IT Pro Magazine. Using STARTX to launch PsExec
to launch the program to be run with limited rights seems more
complicated than using DropMyRights to do so. I don't think
your method would be better and easier for most users.

"ju.c" <bibidybubidyboop@mailnator.com> wrote in message
news:uQjOUXDYJHA.3808@TK2MSFTNGP05.phx.gbl...
>A better and easier method is to use Sysinternals PsExec utility and launch it
>with a shortcut and StartX. The shortcut command would be:
>
> C:\Path to\STARTX.EXE "C:\Path to\psexec.exe" -l -d "C:\Program Files\Internet
> Explorer\iexplore.exe"
>
> StartX 1.06 242 KB (Freeware)
> Info: http://www.naughter.com/startx.html
> Download: http://www.naughter.com/download/startx.zip
>
> PsExec 1.94 1 MB (Freeware)
> Info: http://technet.microsoft.com/en-ca/s.../bb897553.aspx
> Download: http://download.sysinternals.com/Files/PsTools.zip
>
>
> ju.c
>
>
> "Michael Jennings" <metarhyme@gmail.com> wrote in message
> news:#15wweAYJHA.5520@TK2MSFTNGP02.phx.gbl...
>> For users running XP as Administrator, who want to improve
>> IE's security, the Internet Explorer 7 Desktop Security Guide
>> http://www.microsoft.com/downloads/d...DisplayLang=en
>> suggests using DropMyRights:
>> http://msdn.microsoft.com/en-us/library/ms972827.aspx
>> DropMyRights can launch IE without your administrative rights.
>>
>> Download DropMyRights.msi from that last link above and
>> install it. The instructions at the link might be confusing.
>> Here is an alternative set of instructions:
>>
>> navigate to the DropMyRights directory
>> create a shortcut to DropMyRights.exe in its directory,
>> drag the shortcut to the desktop, then right click it.
>>
>> Properties > Shortcut > Target >
>> add the path [and variable] to the controlled program
>> for example, after
>> "C:\Documents and Settings\HP_Administrator\My
>> Documents\MSDN\DropMyRights\DropMyRights.exe"
>> browse to "C:\Program Files\Internet Explorer
>> copy, paste and type at the end \iexplore.exe"
>> then add a variable if not /N (default)
>> to get a line such as this as the Target:
>> "C:\Documents and Settings\HP_Administrator\My
>> Documents\MSDN\DropMyRights\DropMyRights.exe" "C:\Program Files\Internet
>> Explorer\iexplore.exe" /C
>>
>> Properties > Shortcut > Run > select Minimized
>>
>> Properties > Shortcut > Change Icon > pick an icon
>>
>> Properties > General > change the name
>> "IE (non-admin)" for example
>>
>> The command parameters to DropMyRights are:
>> DropMyRights {path} [N|C|U]
>>
>> The meanings of the variables are:
>> Path is the full path of the application to launch.
>> N means run the application as a normal user.
>> This is the default if you provide no argument.
>> C means run the application as a constrained user.
>> U means run the application as an untrusted user.
>>
>> IE7 is very accepting of being run /U - untrusted.
>>
>> Outlook Express is intolerant of DropMyRights. It destroys
>> OE's ability to send messages. A reboot fixes this until it's
>> used again to launch Outlook Express - then it happens again,
>> so don't use DropMyRights for OE unless you only receive. .
>>
>> It ought to work with Internet applications besides IE,
>> but I've tried it only with IE and OE. It works with IE.

"VanguardLH" <V@nguard.LH> wrote in message
news:gibdem$b22$1@news.motzarella.org...
> Michael Jennings wrote:
>
>> For users running XP as Administrator, who want to improve
>> IE's security, the Internet Explorer 7 Desktop Security Guide
>> http://www.microsoft.com/downloads/d...DisplayLang=en
>> suggests using DropMyRights:
>> http://msdn.microsoft.com/en-us/library/ms972827.aspx
>> DropMyRights can launch IE without your administrative rights.
>>
> Rather than use DropMyRights, you can also use SysInternals' psexec
> utility. The following is the command in a shortcut that I use for
> loading IE under a LUA (limited user account) token:
>
> C:\Tools\SysInternals\psexec.exe -abovenormal -l -d "C:\Program
> Files\Internet Explorer\iexplore.exe"
>
> I like psexec because it also lets me run the web browser with increased
> priority. Normally when I am browsing, that's my primary activity so I
> want to make it snappier. -l is for the LUA token (reduced privileges)
> and -d is "don't wait for process to terminate" (so the shell used to
> run psexec gets closed as soon as it load iexplorer.exe). The
> "-abovenormal" parameter is for increased priority.
>
> The problem with using either DropMyRights or psexec (with its -l
> parameter) is that it only applies when you start the web browser using
> those utilities (as the child processes use the LUA of the parent).
> That won't add the restrictions to provide protection when the web
> browser is started as a child process of some other applications. There
> are LOTS of applications that will start IE as a child process. If you
> want to throttle the permissions on all instances of your web browser no
> matter how it gets started or by what, look into something like GesWall.
> I used it for awhile but eventually removed it as starting IE manually
> using the shortcut with psexec (and its -l parameter) was sufficient for
> me since I only use it when visiting unknown or untrusted sites.
> Running IE always in an isolated mode (in GeSWall) or with restrictions
> under a LUA (using psexec, DropMyRights, or the protected mode available
> in Online Armor firewall or other security products) just got in my way
> too much. GeSWall runs the web browser in its own restrictive isolated
> mode so it is more protective than simply using a LUA token on a child
> process. Sandboxing would be another choice, like using Sandboxie. Too
> bad its free version turns into once-a-day nagware after the 30-day
> trial (and why I stopped using it). Virtual machines go even further
> but are somewhat of a hassle to start the VM just to browse a site (and
> waste too much memory to leave the VM running all the time).

That is an improvement on ju.c's suggestion.

I wouldn't know how to detect that DropMyRights continued to be active
until reboot after it's invoked. The behavior of OE suggests that it is. If so,
then your point about clicking IE up via a link wouldn't stand. FireFox
accepts it. I haven't done it to Safari or Chrome yet. What I want is an
OS I can run as Admin in perfect safety. Zero to 60 in 4 seconds with
phenomenal fuel efficiency priced to sell. Who knows? I'll have to wait.

In the meantime, DropMyRights is simple after you've done it once.

"Michael Jennings" <metarhyme@gmail.com> wrote in message
news:eVjJmOHYJHA.652@TK2MSFTNGP04.phx.gbl...
> Although he's rude and inattentive, Gordon's method of running
> IE with limited rights is simple and best - log on as a limited user.
>


Sorry? What was "rude" and "inattentive" about suggesting that it is bad
practice to run as Admin?

--
Asking a question?
Please tell us the version of the application you are asking about,
your OS, Service Pack level
and the FULL contents of any error message(s)

"Gordon" <gordonbparker@yahoo.com.invalid> wrote in message
news:%23YPjGkIYJHA.5336@TK2MSFTNGP02.phx.gbl...
> "Michael Jennings" <metarhyme@gmail.com> wrote in message
> news:eVjJmOHYJHA.652@TK2MSFTNGP04.phx.gbl...
>> Although he's rude and inattentive, Gordon's method of running
>> IE with limited rights is simple and best - log on as a limited user.
>
> Sorry? What was "rude" and "inattentive" about suggesting that it is bad
> practice to run as Admin?

You were inattentive in addressing ju.c as if he were the original poster.
Massive snipping could be considered obnoxious and inconsiderate,
ju.c objected to your doing it. If someone agrees that you're right,
it's best to wallow in it - just blow off any negativity going with that.