Send your Windows question to Mitch today! | See other Windows tips



I've been running with a least-privileged user account (LUA) on my main Windows XP workstation now for over a year. In other words, the user account I use for checking email, browsing the web, writing reports and so on is an ordinary domain user account and is not a member of the local Administrators group on my computer. Why do I do this? Because running with an admin account results in a lot more damage when your machine gets compromised by some malware.



It hasn't been easy though, and this week was another example. I had to connect to a remote extranet site using Internet Explorer to do some business with another company. So I opened IE and typed the URL to the site to get to its logon page. Then I clicked the Login button and typed my domain\username and password that had been given me for accessing the site. No joy, the logon page kept repeating until I got an Access Denied message.



Time to troubleshoot. Check the credentials, check the firewall, try this, try that. Then inspiration hit me. I opened a command prompt and typed runas /user:administrator "C:\Program Files\Internet Explorer\iexplore.exe" and opened an IE session running as local admin on the machine. Went to the extranet and clicked the Login button and this time it worked, I'm in!



Once in the portal, I found the files I was supposed to download so I selected them, pressed CTRL+C, switched to my My Documents folder and pressed CTRL+V. Nothing happened. I tried dragging the files from IE onto my desktop. The plus sign was there beside my mouse pointer, but when I released the left mouse button nothing happened. What's going on?



Then I had another idea. I opened a second IE session as local admin and typed My Documents in the address bar, then I tried copying and pasting the files from the extranet page to My Documents. It worked! I closed both IE windows and opened My Documents from the Start menu and the files weren't there! Augh! Where'd they go? I saw them being copied, and now they're gone!



Well not really. After some reflection I realized that when I typed My Documents into the address bar of an elevated IE window, I was actually opening the My Documents folder for the Administrator account (C:\Documents and Settings\Administrator\My Documents) and not my own My Documents folder (C:\Documents and Settings\my_account\My Documents). So finally I saw the solution: create a new folder called C:\Transfer and open the Security tab on its properties sheet and add Full Control for Administrators ACE to the ACL for the folder. Now both my account and local admin accounts had full access to the folder. Then I dragged the files from the extranet portal to this folder and (a) they copied OK because admins had Full Control permission on the folder, and (b) I could open the files later because my own user account had full control permissions as well on the folder.



Which only goes to remind me one more time how painful it can be to run with a LUA on Windows XP. Trade-off between security and usability? You bet!

Do you LUA? Email me your experiences and I'll try to share some of them in a future newsletter here on ITworld.

ITworld.com

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine