Re: Giving Limited Users a Little More Authority/Permission?
From: cquirke (MVP Windows shell/user) (cquirkenews_at_nospam.mvps.org)
Date: 04/25/05
- Next message: digit: "Malicious microsoft scriptlet component in IE?!"
- Previous message: Mat: "Active Directory"
- In reply to: BillJohnson4_at_gmail.com: "Giving Limited Users a Little More Authority/Permission?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 25 Apr 2005 09:50:41 +0200
On 23 Apr 2005 07:48:11 -0700, BillJohnson4@gmail.com wrote:
>I have Windows XP with Service Pack 2, Internet Explorer Version 6.
>I created a limited user called "Bill" (Start -> Settings -> Control
>Panel -> User Accounts).
>Unfortunately, it is too limited.
>I would like for "Bill" to be able to:
>1. change his IE6 home page to a local file, e.g., file://C:/index.htm,
Better to choose a less obvious file name and store it somewhere other
than the omnipresent C:\, I would say.
>2. change his IE6 security settings (Tools -> Internet Options ->
>Advanced tab -> Security section) to "allow active content to run in
>files on My Computer".
That's quite a wide-ranging change, and I would look for something
finer-grained - e.g. if you could sign the active content you want to
run and then set that (and only that) up to be trusted.
In the old days, the "My Computer" zone was left wide open; anything
that got material onto the system would then be able to bounce around
without further limitations. By design, MS accepts scripts within
cookies, for example, so delivery isn't a problem, though getting the
material to run for tyhe first time may be.
These (post-SP2) days, the trend has been to paradoxically harden "My
Computer" even beyond Intranet Zone, so we are starting to see
retrograde escalation e.g. malware that attempts to work locally by
approaching the PC via its own network shares.
If you think about it, it makes sense - for many if not most of us,
the only scripts we may want to run are those in web pages. Once
these pages are stored locally, most of the web site links are broken
and they have no use - at least, no use we would want.
Before MS got this clue, some of us had already been doing what we
could to kill scripting where we were not using it; renaming away the
WSH and .HTA engines, disabling Active Desktop and View As Web Page,
etc. and using .BAT files (security via unfashionability?) instead.
>He can go through the motions of doing both, receives no error
>messages, but his changes do not take.
>How can I start with a limited user and selectively add one
>permission/authority at a time?
XP Home, most likely no can do. XP Pro, prolly involves Group Policy
Editor or similar tools, but that's outside my scope ;-)
>---------- ----- ---- --- -- - - - -
Gone to bloggery: http://cquirke.blogspot.com
>---------- ----- ---- --- -- - - - -
- Next message: digit: "Malicious microsoft scriptlet component in IE?!"
- Previous message: Mat: "Active Directory"
- In reply to: BillJohnson4_at_gmail.com: "Giving Limited Users a Little More Authority/Permission?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
