Howtos: Add user with limited rights
This Howto describes how you can configure a startup command of a web browser is such a way that you will run the web browser with limited rights. Normally the browser runs with the rights of the user that is logged on to the system. In most cases you user id has 'administrator' rights. When you go to web sites that are infected with mallware, spyware or virussen, these programs will run with Administrator rights also. This can have bad effects to your computer. When you run with a user profile with limited rights, this problem is solved. Because I prefer to work with my user that has Administrator rights, but want to avoid these threats, I would like the web browser to run with limited rights. This is now this can be done:
Go to the Control Panel, User Accounts. Create a user. In this example I create
the user "limited".
Add a password to the just created user. In our example we choose "limited". Of course you should think of a more 'secure' password, else it will be easy to hack your computer.
Make sure that the user has limited rights as shown in the following screen:
I do not like having this new user displayed on the "Welcome Screen" of Windows. I am only going to use this user to run my applications with limited rights. I will never log on with this user. Removing this user from the Welcome Screen can be done by adding a key to the Windows registry.
Go to the following key in the Windows registy (by running regedit):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Click on the right mouse button in the right part for the screen and click
on "new".
Select DWord value and fill in the name of the just created user. In our case
"limited". By default the value attached to this key is 0. This
is fine (NB: changing this value to "1" with display the use to
the Welcome Screen).
Download the tool: psexec
Go to the website: http://www.sysinternals.com and download the tool psexec.
You can find it with the Search function of this website.
Download the tool to a local folder on your drive. In my case: f:\img.
Configure PSEXEC
With the tool PSEXEC.EXE a lot of nice things can be configured about a program
that you want to run. In our case we want to execute a web browser with a
user that has limited rights. This can be done with the following command:
psexec -u limited -p limited –d "c:\program files\internet explorer\iexplorer.exe"
Now the Windows Internet Explorer will run under the limited user id. You
can check this in the Task Manager.
When you change the startup command of the shortcut to the Internet Explorer, then the browser will always run with limited rights. You will face some minor issues when downloading files. This cannot be done to all folders, because you do not have the rights anymore. But if you for instance download to the shared documents folder, you should be able to copy with the normal Explorer to every folder you like.
NB: I use the Internet Explorer as the web browser. It also works for all other applications you can execute in Windows, so also for for instance Firefox.
Good luck.