Limited/restricted user can install software

[Guest]

I've my Dell laptop running WinXP Pro (with all updates till 7/15/2004).
I'd only 2 accounts
1. default Administrator account
2. one user xyz who is member of administrator group.

I use laptop through xyz user and admin account is only for emergencies.

I am trying to emulated unix like environment where only the user #1 will have all rights and user XYZ will be a basic user.

My problem is recently I changed xyz account to "restricted/limited" user (member of users in control userpasswords2). As per the tip shown now this account is not suppose to modify any system settings or install new programs.
I've checked that xyz cannot change/create in %windir% or program files.

But some program setups like Opera 7.52 free version can still run their setup and install properly without any problems. (I am NOT doing Runas..)
setup for spybod s&d although correctly says user doesnot have enough permissions.

How is this possible and what am I doing wrong ?
also user XYZ is able to change IE's security zone settings. which is potentially harmful. I think I can change it through policies, but why is restricted user is NOT so restricted ?

or am I doing something wrong ?

 

[Roger Abell]

Some applications are happy to install for use of the user only
when they detect that they are not being installed by an admin.

If you are not using NTFS, then many of the restrictions cannot
be enforced (only over registry entries, not filesystem).

IE settings are per-user by design, and stored in each user
accounts profile.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA

I've my Dell laptop running WinXP Pro (with all updates till 7/15/2004).
I'd only 2 accounts
1. default Administrator account
2. one user xyz who is member of administrator group.

I use laptop through xyz user and admin account is only for emergencies.

I am trying to emulated unix like environment where only the user #1 will

have all rights and user XYZ will be a basic user.

My problem is recently I changed xyz account to "restricted/limited" user

(member of users in control userpasswords2). As per the tip shown now this
account is not suppose to modify any system settings or install new
programs.

I've checked that xyz cannot change/create in %windir% or program files.

But some program setups like Opera 7.52 free version can still run their

setup and install properly without any problems. (I am NOT doing Runas..)

setup for spybod s&d although correctly says user doesnot have enough permissions.

How is this possible and what am I doing wrong ?
also user XYZ is able to change IE's security zone settings. which is

potentially harmful. I think I can change it through policies, but why is
restricted user is NOT so restricted ?