Re: File Explorer That Executes In Different User Context
From: Joshua Heslinga (jheslinga@attbi.com)
Date: 06/22/02
- Next message: Joshua Heslinga: "Re: Hacked Win2k"
- Previous message: Bert Godderis: "DirectX and digital signatures"
- In reply to: CHANGE username to just westes: "File Explorer That Executes In Different User Context"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Joshua Heslinga" <jheslinga@attbi.com> Date: Sat, 22 Jun 2002 14:05:36 -0400
Well, yes, you can do what you're suggesting to some extent, but that's the
wrong way to go if your goal is better virus protection, and it will also
cause you far more problems than it will solve (confusion over 2 sets of
accounts, users using accounts that are not stored & managed centrally,
etc.).
My understanding of the reason Windows Explorer won't launch as a different
user is that when you have the Windows desktop up, you're actually running
the explorer process and that that somehow prevents you from running another
instance as a different user. I might be wrong, but I don't think you can do
it.
I know that you can run a command prompt as another user. I haven't tried it
with IE.
If you start something with Run As, it will run with whatever permissions
apply to the account you used to run it-- you don't need to do anything to
make that happen. Keep in mind, however, that Windows is really designed
(IMHO) for everyone to have one account with the permissions they're
supposed to have and the trusts in place to grant cross-domain access-- not
for people to juggle multiple accounts.
If your goal is better virus protection, you need 3 things:
1) Gateway (especially e-mail) virus protection.
2) Virus protection on your file servers.
3) Managed virus protection on your clients.
This will be far more effective and far less of a headache than trying to
jury-rig some sort of scheme where users don't really log on to the network.
Symantec and Network Associates both make products for all 3 of these.
Joshua Heslinga
MCSE, CISSP
"CHANGE username to just westes" <DELETE_westes@uscsw.com> wrote in message
news:ORCmyXbGCHA.2516@tkmsftngp13...
> After being hit by one too many viruses, we are trying to find a way to
make
> Windows more secure than it is.
>
> One idea was to have users login to their computers with a local user
> account (not a domain account), but to then find a way for them to open an
> Explorer window that runs with the context of a domain login account.
>
> I tried this as an experiment by making a shortcut to Explorer on my
> desktop, and then setting the checkbox "Run as Different User". I
started
> this Explorer shortcut, logged in as a domain account, and then found that
> this feature is completely broken. The Explorer that I started this way
> did NOT execute in the context of the user that started it up. I was
> prompted for a userid and password whenever I went to domain shares to
which
> the userid that I authenticated as has access.
>
> Is there any way to:
>
> - Start a file explorer
> - Start a command line shell
> - Start a browser window
>
> all in a context of a different domain user, but then have that user's
> security privileges take effect for the explorer, shell, or browser?
>
> --
> Will
>
> NOTE: To reply, CHANGE the username to westes AT uscsw.com
>
>
- Next message: Joshua Heslinga: "Re: Hacked Win2k"
- Previous message: Bert Godderis: "DirectX and digital signatures"
- In reply to: CHANGE username to just westes: "File Explorer That Executes In Different User Context"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
