Re: Windows 2000 / Win XP "Restricted Mode"? Does it exist?

From: Marty Egan (martyegan_at_rocketmail.com)
Date: 09/16/03 

Date: 15 Sep 2003 20:49:03 -0700

An update. It is looking like they are talking about running the
service under a "Restricted User" account, and that they don't
understand what that is. Neither do I, exactly. As far as I can
tell, this means either the new "LocalService" or "NetworkService"
accounts, OR running it under a "non-Administrative" account. Another
possibility that I've seen on XP (but not win2k), is the "Limited
User" option you can select when you create an account in XP using the
"User Accounts" applet in Control Panel. When I examine this account
in Computer Management, it appears this is just in the Users group,
and not Administrators. Is that all there is to it?

Does anyone know some way to create a "Restricted User" through the
GUI (meaning some check box or radio button you click that says
"Restricted User", instead of just creating a user and not putting it
in a privileged group?

Or are "Restricted Users" I see in documentation just non-privileged,
but normal users?

"-=Dan=- ©" <danielX@houlker.com> wrote in message news:<bk4nq1$p5dt8$1@ID-150095.news.uni-berlin.de>...
> Sounds like bollocks to me, they are probably just simplyfying the fact that
> a standard user wouldn't sometimes have write access to that area.
>
> dan
>
> "Marty Egan" <martyegan@rocketmail.com> wrote in message
> news:74ca126c.0309150753.6f3a68f7@posting.google.com...
> > My apologies for cross-posting this one. I did it because this
> > question crosses a lot of boundaries, and I don't know what this
> > vendor is talking about, so am not sure how to narrow it down.
> >
> > We have a large distributed application here that includes an agent
> > running on remote systems - "Service Agents" (SA). The SA perform
> > network tests and upload results to a web server. The results are
> > temporarily buffered on the SA until it is ready to upload them. In
> > the previous version of this app, the buffered test results (and the
> > SA log file) were stored in "C:\Program Files\Service Agent", which is
> > the application's directory. In the new version, the results and log
> > file are kept in "C:\Documents and Settings\All Users\Application
> > Data\APPLICATIONNAME\". Obviously, I've taken my company and the
> > product names out of the above paths. I've also modified the vendor's
> > responses below to remove the vendor's name and so on, but the
> > meanings are substantially the same.
> >
> > Below are the vendor's explanation(s), which I think are hogwash. My
> > guess is that there is maybe a Win2k / XP logo requirement that they
> > are following, but
> >
> > that they are explaining the change as this "restricted mode" thing
> > (see attached) to sound more knowledgeable than they really are.
> >
> > Could anyone give me their take on this?
> >
> > Is this "restricted mode" documented in the MS SDK or any MS security
> > documentation? I have already tried searching Google (normal) and
> > Google Groups.
> >
> > Thanks
> >
> > Marty Egan
> >
> >
> >
> > ##########################################
> > Here's a paragraph from their documentation
> > ##########################################
> >
> > Windows - Restricted Mode
> > Windows 2000 and Windows XP include a Restricted Mode which does not
> > allow the editing of any files under the Program Files directory. This
> > prevents the agent
> >
> > from writing any output into its installation directory under Program
> > Files. As a result, on Windows 2000 and XP the agent writes its output
> > under the
> >
> > application data directory, for example:
> >
> > C:\Documents and Settings\All Users\Application Data\APPLICATIONNAME\
> >
> >
> >
> >
> > ####################################################################
> > Here's their email respose to us (when we queried their Tech Support)
> > ####################################################################
> >
> > Dear Customer,
> >
> > The buffer file is located in the C:\Documents and Settings\All
> > Users\Application Data\APPLICATIONNAME\ directory on Windows 2000 and
> > WinXP because of the
> >
> > their restricted mode setting which doesn't allow the editing of the
> > files under Program Files.
> >
> >
> > Thanks,
> >
> > Customer Support Agent
> >
> > ############################
> > Here's their email back to us:
> > ############################
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.515 / Virus Database: 313 - Release Date: 01/09/2003