On Thu, 29 Jan 2004 07:41:20 -0500 (EST), you wrote:
... When NTFS came out an ordinary user could not write the system directory tree Hence most users are running as Administrator or equivalent so that they can write into the system tree. This was a bad design decision by MS _and_ application developers. This _is_ fixable by MS by simply not allowing apps to write into the system tree. This of course is a "small matter of programming" but it would really improve the overall security posture of Windows.
Now there are well written applications which do install their DLL's into their own tree these apps can usually be recognized by _not_ requiring a reboot after installation. ...
Actually, it's more of an issue in the registry than the file system; older apps tend to want to write the global HKLM, rather than the user-specific HKCU. But, regardless, Win2K and WinXP do have restricted-user modes that tie this stuff down quite well. They tend to be used in corporate environments. But for home users, it gets to be a pain in the butt, because it prevents a lot of things users want to do, like installing games, multimedia apps and spyware. You can't really have it both ways; if you can install apps, you can install viruses and trojans. I don't see this being much different regardless of the OS you run. And until you have earned some battle scars, you're not afraid of the pretty toys. It would be nice, though, if there were a legitimate 'su' analog in Windows -- sorry, "runas" doesn't cut it. Makes it hard to normally run restricted, and explicitly enable temporary privs sometimes... /kenw Ken Wallewein K&M Systems Integration Phone (403)274-7848 Fax (403)275-4535 kenw@kmsi.net www.kmsi.net