• PC World
• »Software
• »Antivirus and Security

Limiting Rights

All of these programs exist because Windows needs help handling basic security, particularly with regard to user accounts. You probably employ a Windows administrator account that gives you full rights to change the Registry, install software, and read all files. A good way to make your home PC safer is to operate it under a limited user account (aka a "least-privileged user account," or LUA) instead of an admin account; the limited user rights carry over to any malicious program that tries to infiltrate your system and thus minimizes the damage it can do. Hardly anyone does this, however, because using such an account can lead to serious inconveniences. If you're a limited user, Windows will frequently balk at a seemingly simple task such as changing time zones or installing legitimate software. To perform these kinds of tasks, you must first log out and then log back on as an administrator.

Not surprisingly, the vast majority of us avoid this headache by choosing not to create a separate account, which is more convenient but makes for bad security. Any poisoned Web site or corrupt attachment that sneaks in through a vulnerability in your browser or e-mail program can launch malware with full rights to embed itself into system directories, kill antivirus programs, and generally wreak havoc. In contrast, if the attacker is not empowered to alter your system, it's in effect declawed.

Enter programs such as Amust's 1-Defender. Released in December and updated to version 2.0 in April, it works with Microsoft's Internet Explorer, Outlook, and Windows Messenger. After a brief installation, you'll have the option of creating new desktop and quick-launch icons for starting each program without administrator privileges, even if you otherwise use an admin account. A splash screen and a slightly different icon in the upper left portion of the window indicate that you're running in SafeInternet mode. With the PC in this mode you (and any malware) can't install many types of software and can't make any hazardous Registry changes.

Links opened from other programs or files start IE in safe mode. You can bypass that behavior by shift-clicking the link, or you can start IE in the regular way by clicking the old icons. Most actions--like opening files on your computer or installing a new toolbar--stay the same.

Like 1-Defender, DropMyRights is a small program that opens selected apps under limited user rights. Developed by Michael Howard, a Microsoft senior security program manager, it has been around since 2004; though Howard works for Microsoft, the company doesn't market the app. It works with any program, but before using it you need to make some quick changes. After installing it, you must create a shortcut for each program that you want to use with it (or you must modify the existing one). Howard provides full instructions with screen shots at his Microsoft Security Developer Center page on the MSDN Web site.

If you click a Web link in another program, such as Word, your default browser will start normally, without DropMyRights protection (unless it is running with DropMyRights, too). To get the extra security, copy and paste the link after starting your browser via the specially prepared shortcut.

Microsoft plans to include a "protected mode" in Vista that will run IE 7 without admin privileges, much as 1-Defender and DropMyRights do. Redmond is also trying to take the aggravation out of running day-to-day with a LUA (current Vista betas suggest that it still has some work to do).