The conversation before this:
http://groups.google.com/group/microsoft.public.windowsxp.general/browse_frm/thread/204190216d338284
(archived indefinitely)
There are very few - very very few - modern applications that require
administrative privileges to be used by the users of a computer and I would
venture to go so far that the ones that are left are for a very specific
audience (perhaps those working at the hardware level, perhaps the actual
system admins to do something system-wide/more risky than a normal user
would do, etc) and any other software that actually *requires* the user to
be an administrator to 'run properly' (truly requires it - cannot just be
granted access to some registry key, directory, etc and does not fall into
the exceptions list mentioned) might be better replaced with something else.
Why? It just opens you up to do the one thing I have never seen anyone say,
"You know what would be the best thing everyone could do on a computer is?
Run all day, every day as an administrative level user."
The program you are using was originally meant for Windows XP Home Edition
users - not Professional. Although it works the same either way. For the
Windows XP Professional Edition users, it evolved to be useful because the
Group Policy Editor did not have built-in ways to limit a specific user - or
"you'd have to fully understand what you are doing if you did not utilize
the tool." --> Something I think you should.
While I know there are things out there that have difficulties in running as
a non-administrative level user, I know there are programs that either
replace those or simple work-arounds that make them work properly under the
limited accounts. There may still be applications out there that require
the heightened privs all around - but as I said earlier - those are few
(very few) and I'll add that those applications should be put off onto a
computer not used for daily activities (and likely are anyway - just by
design.)
My point has still not changed. I believe you should not start with
administrative rights and start taking away things. You are just asking for
trouble. Here are some matches, here is some gasoline, but don't catch
anything on fire. Putting forth twice (or more) the effort to accomplish
something that is more smoke-screen than reality and that could have been
accomplished in a more easily repeatable way, likely faster, by figuring out
what the applications that have trouble running as non-admins really need
and changing just that - but leaving the users as just plain-old
non-powerful (built-in, less likely you missed something) user accounts.
*shrug* Just seems to be more work than it's worth.
Everything you listed there - the method by which it was done/can be undone
can be found on the Internet (likely by a registry change.) Sure - maybe
someone might have to start by booting the machine to a side-OS or hacking
it in some other way - but also - with a creative thought or two, maybe not.
If someone wants to come here and tell me why I should start telling people
to start with all administrative level accounts and just lock those accounts
down with group policy/registry hacks (either overall through HKLM or per
user via HKCU), I'll listen with curiosity and perhaps fascination. Perhaps
they'll have a point or two I can lock onto and agree with. I'm not so sure
it would be an easy argument on their side.
Until then, I will still say you are better off starting with the least
privileged level of accounts for most people and granting them specifically
what they need (fixing access for the broken applications in the
registry/file&folder structure (and taking note of it for the future))
instead of granting them administrative power over the machine and working
to remove the powers you don't want them using.
