XP Maximized: Protecting your computer from other users...
Did you ever need to let someone use I your computer, but you weren't quite sure if you could trust his/her common sense? Will he/she clobber something on the system or install spyware by answering a question the wrong way? Will you have to spend hours trying to clean up his/her mess?
Maybe it's your own mistakes that you need to avoid; sometimes I can't even trust myself when I'm researching the latest spyware threats and surfing to dangerous sites.
There is an extra secure way to run a program in Windows XP that is useful for those times when you can't trust the fingers touching your keyboard-or the program they are using. It's called Protect My Computer, and it does just that by ensuring that the program doesn't access I most areas of the hard drive and Registry.
Because it limits what a program can do, many programs cannot even use it; they fail in different ways because they don't expect to be denied access. However, Internet Explorer is one of the programs that will run with Protect My Computer, and it offers extremely secure browsing.
Politely Off limits
Let's be clear on the goals and limitations of Protect My Computer. It's not something that you would use every time you ran a browser or other program because it is intentionally limited in what it allows a program to do. Also, it isn't meant to protect you against a devious person at the keyboard who intends to mess up your PC.
You'd generally start a browser in Protect My Computer mode, sit a person down in front of the keyboard, and ask him to only use the browser and nothing else. It's a guest room, not a prison cell.
Protect My Computer also requires that the disk drive is formatted using NTFS. If you upgraded to WinXP from Windows 98 or Windows Me, you may have stayed with the FAT32 format on the drive. The FAT32 format does not provide any user-based security, so the limits that WinXP tries to impose on files won't do any good.
To find out the format of your drive, open My Computer and right-click the drive and then click Properties. The file system format is listed on the General tab.
It's pretty easy to run any program in WinXP's Protect My Computer mode. Just right-click an EXE (executable) file, Desktop shortcut, or toolbar icon and select the Run As option. You'll get a dialog box similar to the one shown in the screen shot at left. Usually the defaults are just what you want. It will run the program using your current account, but it applies significant restrictions on what the program can access.
There are many nuances to Protect My Computer, but most of them I learned through first-hand experience. The best discussion I have seen is in Aaron Margosis' blog (weblogs.asp.net/ aaron _margosis/ archive/2004/09 /10 /227727 .aspx). I haven't figured out how to create a shortcut or command line that would automatically use the Protect My Computer option to run a program, but I'm still looking.
Browser Sandbox
When Internet Explorer runs with Protect My Computer, it has Read-Only access to parts of the Registry and no access at all to the directories that hold your browsing profile. As a result, several features are totally unavailable, including browser history, favorites, and cookies.
None of the pages browsed are kept in the Temporary Internet Files, as they normally would. These restrictions alone are a big plus. Not only do they prevent people from changing these items or cluttering up your system, but they also avoid anyone being able to snoop around in your files. Cookies that automatically log you into some sites won't be available, either.
For other Internet Explorer features, the story is a bit more complicated. You can't install new ActiveX controls or add-ons while using Protect My Computer, but you can run any that are already installed. However, they are still subject to the limitations on the Registry and files, and many Internet Explorer add-ons can't handle those limits. For example, if you try to open a PDF (Portable Document Format) file, Adobe Acrobat crashes with a memory violation and takes Internet Explorer with it. Macromedia Flash animations won't run.
Most Sun Java applets won't start. This can be a drawback if you were hoping to use Protect My Computer as a I way to let kids safely play on your PC because sites children visit often use active content such as Flash animations.
When running a protected IE browser, you may get some spurious errors, but it usually plows ahead successfully once
If you click OK.. For example, I use a local file on my hard drive as my home page and IE can't load that. Instead, it gives me an error message and loads a blank page.
I When you type Web site addresses, you'll get an error if you don't type the http:// in front of the address, but it will successfully load the site once you clear the error.
If Internet Explorer hangs or crashes when you try to run it with Protect My Computer, you may have one or more browser toolbars or add-ons that become totally confused when they aren't able to get to the Registry or disk. I have used IE with the Google Toolbar and it worked fine.
Features like the form filler don't have your data in them, but that's exactly what you want in a locked-down browser. If you have WinXP Service Pack 2, you may be able to disable a dysfunctional add-on by opening a (nonprotected) IE browser, clicking Tools, and selecting Manage Add-Ons.
Other Paths To Safety
With the release of Mozilla's Firefox (www.mozilla.com/firefox) in November 2004, Windows users have a great second browser option. Features such as tabbed browsing and excellent support for style sheets make IE look old and creaky. Since most people are still running IE nowadays, spyware writers have focused on IE exploits.
That alone means that you're less likely to get spyware while using Firefox-at least until Firefox becomes more popular.
Still, all browsers are going to have security holes; although the Firefox team tends to patch bugs quickly, it's too easy to put off updates and leave your PC open to exploits. Plus, Firefox won't stop risky user behavior such as saving a spyware-laden program off some Web site and running it: Because Protect My Computer limits what the browser can do, it can limit the damage from browser bugs and user blunders.
Unfortunately, Firefox doesn't work with Protect My Computer. Most likely, it cannot access one of the configuration files that it needs to start. It's hard to tell because the program does nothing when you launch it; there are no error messages. There is a Bugzilla report filed for the problem (bugzilla.mozilla.org/ show _bug.cgi?id=266533), so you'll be able to see if and when it is fixed by visiting that site every so often.
You can use Protect My Computer with other applications, as long as they don't demand access to restricted areas. Using WordPad, Notepad, and Microsoft Word 2002, I am able to edit and print documents and save them to a USB (Universal Serial Bus) memory key. (Because the USB memory is formatted as FAT32, it isn't subject to any security restrictions.) There are sometimes a few spurious error messages, but the documents I edited were fine.
Whether you use it as way for guests to safely use your PC or as a flameproof suit for your own Web travels, the Protect My Computer option can be mighty handy. Experiment with it awhile and keep it in mind when you need a little extra protection.
http://www.xpmaximized.com