IE7 Protected Mode while UAC is disabled?

[Synapse Syndrome]

I am running as a standard user, and still (even more so), UAC is doing my
head in intensely. I've been trying to move and delete files (organise)
between some partitions and I found myself swearing and punching the monitor
and stamping on the keyboard because of UAC.

I have disabled having to elevate in Admin account, using secpol.msc, but
this is no use in a Power User account. So I have to disable this UAC
atrocity.

Is there any way that I can still run IE7 in Protected Mode without UAC, or
is there another way to make UAC STFU more?

No pro-UAC rants please.

Cheers.

ss.

 

[Guest]

don't be stupid and TURN ON UAC

 

[mikeyhsd]

am puzzled, as to what IE7 has to do with copying and deleting files. unless it is on a web site

unless you need to be connected to the internet to do the cleanup. simply disconnect/turn off the modem then turn off UAC momentarily. do the work, then turn UAC back on and then reconnect/turn on the modem.

(e-mail address removed)@sport.rr.com


I am running as a standard user, and still (even more so), UAC is doing my
head in intensely. I've been trying to move and delete files (organise)
between some partitions and I found myself swearing and punching the monitor
and stamping on the keyboard because of UAC.

I have disabled having to elevate in Admin account, using secpol.msc, but
this is no use in a Power User account. So I have to disable this UAC
atrocity.

Is there any way that I can still run IE7 in Protected Mode without UAC, or
is there another way to make UAC STFU more?

No pro-UAC rants please.

Cheers.

ss.

 

[Synapse Syndrome]

am puzzled, as to what IE7 has to do with copying and deleting files. unless
it is on a web site

unless you need to be connected to the internet to do the cleanup. simply
disconnect/turn off the modem then turn off UAC momentarily. do the work,
then turn UAC back on and then reconnect/turn on the modem.

----------------------------------------------------------------------------------------------

I do far too much during the usual work day to do this. And you need to
reboot to turn UAC off. I just want to get rid of it completely, apart from
IE7 Protected Mode.

ss.

 

[Synapse Syndrome]

don't be stupid and TURN ON UAC

Shut up you idiot. You sound like a moron that ran as Admin with XP and got
lots of malware. I never did. Just wait till MS changes the way UAC works
with SP1 and then cry about your stupid UAC crap.

ss.

 

[mikeyhsd]

have you tried the various flavors of uac notification that can be adjusted with the policy control.



(e-mail address removed)@sport.rr.com


am puzzled, as to what IE7 has to do with copying and deleting files. unless
it is on a web site

unless you need to be connected to the internet to do the cleanup. simply
disconnect/turn off the modem then turn off UAC momentarily. do the work,
then turn UAC back on and then reconnect/turn on the modem.

----------------------------------------------------------------------------------------------

I do far too much during the usual work day to do this. And you need to
reboot to turn UAC off. I just want to get rid of it completely, apart from
IE7 Protected Mode.

ss.

 

[Richard Urban]

You post here frequently, and have helped a lot of people.

But, if I were reduced to punching a monitor, I think I would go back to
Windows XP for a while and cool down. I would likely reload Vista the next
time I obtained a drive by download from a funky website - and live with
UAC.

--


Regards,

Richard Urban MVP
Microsoft Windows Shell/User

 

[Arthur Dent]

I generally love Vista and dont plan on going back to XP. But i have to
agree with Synapse...

The UAC, while a GREAT idea, is simply far to intrusive to be useful. I
tried to live with it at first, to "do the right thing", but like he says,
it prompts you for SO many things that you should be able to do fine (like
copying a couple files in his example, or emptying the recycle bin or
changing screen savers and just dumb stuff (i know it doesnt ACTually prompt
on the recycle bin or screen saver, but i turned it off so long ago i forgot
what the little things all were, so those are just examples in principle)).

Now i didnt actually turn it off... i just run it in the mode so Admin users
auto-elevate with no prompt. Because otherwise you Do... you get prompted
every 5 minutes when you try to do something, which especially at work,
where productivity counts, is absolute baloney.

Now, if they had made it so that it would detect WHERE the action was coming
from... ie, from a remotely initiated process vs. from the logged in user
actually clicking something, then it would be a LOT better. Then it would
still provide the protection against remote access hacks that it is
supposedly supposed to be protecting us from, but it would do so without
making the interactive user want to toss his machine out a window. Such a
Basic Change would've gone a LONG way to improving the experience and
probably would've reslulted in a LOT fewer people turning the
'good-but-poorly-implemented' thing off.

That's my two cents,
CheerZ!

 

[Ronnie Vernon MVP]

Arthur

You aren't giving the malware and virus folks enough credit.

The first thing a virus will do is disable/bypass the onboard anti-virus
software and then spoof your administrator account privileges so the system
thinks that YOU are the one that initiated the action that it wants to
perform. It then goes ahead and does it's dirty deeds while masquerading as
YOU with unrestricted access to the system.

The UAC prompt is designed to alert you when any action is requested that
could potentially be malware related. This can be something as simple as
moving/copying/replacing files, starting a command prompt, accessing the
registry, or task manager, writing to a system folder, etc.

With UAC turned off, you will not even be aware of what is happening until
it is too late. With UAC turned on you will be prompted with "Windows needs
your permission to continue" dirtydeeds.exe is trying to access the system,
if you started this action, click continue? (Of course it will not be named
dirtydeeds.exe, it will be something like windowsnormal file.exe)

I do agree that the UAC prompt can be intrusive, but I believe that most of
the frustration comes from the fact that we are being asked to do something
different from the way we have always done it. I did some studies, on my
own, about how much time is actually wasted with the UAC prompt and the
results were negligible. During an eight day period, I wasted less than 5
minutes total.
The UAC prompt pops up, I glance at it to make sure that it is referring to
an action that I intended to perform and click Enter. Takes less than a
second.

It's true that you can turn the elevation prompts off, but this needs to be
done in a responsible manner. You can set things up so that you can quickly
turn it off, without the need to reboot and without compromising the
Virtualization or Compatibility modules that UAC is tightly integrated with.
This needs to be a temporary switch that is only used when you think it is
needed and then turned back on when you are finished.

 

[Arthur Dent]

I understand the point you're making, and in principle it's a good idea, but
it is just too much... especially for someone who knows what they are doing.
In 13 years of using computers... i've only ever had 1 infection, and that
was after i'd done a rebuild and simply forgotten (DUH!) to put back on my
a/v and anti-malware. Other than that i've never had a single infection. For
real power users, who browse responsibly and configure their networks
properly... UAC is just too much. For regular home user's without tht
benefit of a good IT person on hand, maybe it is needed... or for server's
which are more likely to be the targets of attack.

I think one way it couldve been done a LOT better, would've been if instead
of locking up your whole machine with a prompt, and not letting you do
anything until you answer it, ..... it could've been written so that it only
locked up the one process which spawned the alert and not the entire
machine. And instead of the annoyingly obtuse dialog, if it had been done
with a small non-modal balloon notification from the systray or a persistent
desktop alert like Outlook 2003+'s ..... something that would've held that
process or app until you answered it, but wouldnt necessarily stop you from
doing other stuff on your computer. But i guess coulda-woulda-shoulda's ...
.

 

[Jimmy Brush]

Hello,

I would disagree that power users have no use for UAC.

UAC allows power users to easily see what is running with admin powers vs.
non-admin powers on their system, and convienently seperates the two. As a
power user, I have a large interest in knowing what programs are running
privileged on my system.

However, I would agree that the current prompting behavior is unfortunate.
Of course, it's only like that because it prevents other applications from
messing with or driving the UAC prompt.

It would be much nicer if the prompt works as you say, or even better, if
the system could create a special "elevation UI marker" (like the buttons
with the shields on them) such that the system could confirm that 1) the
user, and not a program, click the special button and 2) the program is not
hiding or manipulating the button (such as hiding the shield by drawing
something over it), then the prompt wouldn't even be necessary, as the
special UI component would take its place (although I think prompts should
be on by default and not showing prompts for shielded UI actions should be
optional).


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Jimmy Brush]

Hello,

You cannot turn off UAC while still allowing IE protected mode.

You also cannot have a program that requires full admin privileges
automatically elevate from within a non-admin account.

However, assuming you are talking about modifying YOUR files on your
computer and NOT system files, I can help you with that: If these files and
folders were created from a different installation of Windows, UAC is
prompting because Windows Vista does not recognize that you created these
files. In essense, the only user account on your vista installation that has
access to those files is the administrators group (protected by UAC), since
all of the other accounts given access to those files are other windows
installation-specific, which doesn't count on your current windows
installation.

The solution is to modify the security on the files in Vista to grant your
username permission to the files.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Dennis_N]

The solution is to modify the security on the files in Vista to grant your
username permission to the files.

Yes. That's the trick.

I did that too, granted access to users to my data drive, where i keep
documents, various files etc. All my shell folders are redirected to
that drive too.

The system and program files are on a seperate drive.

I run as a user with UAC on.

I hardly ever get prompted.
And when i DO get prompted, i know it's for a reason, ie installing a
program, or doing other system related work.

But after the initial work with setting the system up, and installing
all the programs i use is over, i rarely get the UAC prompt.

I think UAC is a major improvement in windows. (it's a behavioral
modifier)

Maybe it's because i'm used to Unix.

Regards

 

[Ronnie Vernon MVP]

Hi Jimmy

You cannot turn off UAC while still allowing IE protected mode.

This hasn't been my experience when doing some testing.

Using a reg file to disable "ConsentPromptBehaviorAdmin" and
"PromptOnSecureDesktop" during a session, logged on with a standard admin
account, disables the UAC prompts, but doesn't appear to disable IE
protected mode. At least, when these 2 keys are disabled, IE still shows
Protected Mode=On in the IE status bar? I have even disabled/enabled
protected mode and it appears to work as expected. Also, ieuser.exe remains
active in Task Manager.

This appears to stick even through a logoff/logon or a reboot.

This also does not appear to effect Virtualization or Compatibility issues.

 

[Synapse Syndrome]

have you tried the various flavors of uac notification that can be adjusted
with the policy control.

-----------------------------------------------------------------------------------------------

Yes, I mentioned that in my first post. I have tried different settings.
When running as a Power User you get many more prompts.

ss.

 

[Synapse Syndrome]

You post here frequently, and have helped a lot of people.

But, if I were reduced to punching a monitor, I think I would go back to
Windows XP for a while and cool down. I would likely reload Vista the next
time I obtained a drive by download from a funky website - and live with
UAC.

I wasn't actually physically doing those things, but I was close to it.

ss.

 

[Synapse Syndrome]

Hi Jimmy


This hasn't been my experience when doing some testing.

Using a reg file to disable "ConsentPromptBehaviorAdmin" and
"PromptOnSecureDesktop" during a session, logged on with a standard admin
account, disables the UAC prompts, but doesn't appear to disable IE
protected mode. At least, when these 2 keys are disabled, IE still shows
Protected Mode=On in the IE status bar? I have even disabled/enabled
protected mode and it appears to work as expected. Also, ieuser.exe
remains active in Task Manager.

This appears to stick even through a logoff/logon or a reboot.

This also does not appear to effect Virtualization or Compatibility
issues.

So what you are saying is what I am asking is possible? Are those registry
keys the same ones that are changed within secpol.msc? I have tried
changing those, but I still get lots of prompts when running as Power User.
I don't mind this for installing programs, like I had to with XP.

ss.

 

[Synapse Syndrome]

I generally love Vista and dont plan on going back to XP. But i have to
agree with Synapse...

The UAC, while a GREAT idea, is simply far to intrusive to be useful. I
tried to live with it at first, to "do the right thing", but like he says,
it prompts you for SO many things that you should be able to do fine (like
copying a couple files in his example, or emptying the recycle bin or
changing screen savers and just dumb stuff (i know it doesnt ACTually
prompt on the recycle bin or screen saver, but i turned it off so long ago
i forgot what the little things all were, so those are just examples in
principle)).

Now i didnt actually turn it off... i just run it in the mode so Admin
users auto-elevate with no prompt. Because otherwise you Do... you get
prompted every 5 minutes when you try to do something, which especially at
work, where productivity counts, is absolute baloney.

Now, if they had made it so that it would detect WHERE the action was
coming from... ie, from a remotely initiated process vs. from the logged
in user actually clicking something, then it would be a LOT better. Then
it would still provide the protection against remote access hacks that it
is supposedly supposed to be protecting us from, but it would do so
without making the interactive user want to toss his machine out a window.
Such a Basic Change would've gone a LONG way to improving the experience
and probably would've reslulted in a LOT fewer people turning the
'good-but-poorly-implemented' thing off.

I totally agree.

ss.

 

[Ronnie Vernon MVP]

So what you are saying is what I am asking is possible? Are those
registry keys the same ones that are changed within secpol.msc? I have
tried changing those, but I still get lots of prompts when running as
Power User. I don't mind this for installing programs, like I had to with
XP.

ss.

SS

Yes and No.

This does not apply to a Standard user account, only to a normal
Administrator account. (although some actions performed with a standard user
account will be possible without an elevation prompt) The standard user
account will still be unable to make any system wide changes without
elevation.

The concept of a Power User, where there was a pre-set list of
administrative privileges assigned to a particular type of account is
defunct in Vista, although you will still see this user type in the
MMC/Local Users and Groups, it is only there for backward compatibility. The
main reason for this is that most applications still require unnecessary
privileges.

The Standard user can now perform most common configuration tasks in Vista.
File and registry virtualization helps legacy applications run smoother in
Vista. For newer, Vista compliant applications, the UAC programming
guidelines allow these newer programs to run seamlessly under a standard
user account.

If you want to customize a Standard User account, you will still need to do
this through the MMC.

 

[Jimmy Brush]

Hello,

The ConsentPromptBehaviorAdmin value effectively tells the system to act as
if the user clicked the "Continue" button whenever a UAC consent prompt is
displayed. This does not disable UAC per se (it still allows protected mode
IE and all the other goodies), but it does severely cripple its
effectiveness as to make it almost worthless .

When running in this mode, any application that says it needs admin power
will receive it, without asking the user for confirmation. This allows for
"honest" applications to run with limited privilege, but does nothing to
ensure that the user knows about and wants applications that request
privilege to run.

PromptOnSecureDesktop shouldn't need to be modified in order to make
ConsentPromptBehaviorAdmin work. This "tweak" displays UAC prompts on the
standard desktop instead of the secure desktop, which makes the prompts
display faster at the expense of security.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/