I've been working on a way to setup a very restrictive user account on my computer that I could use to access online banking and other sites that might involve sensitive information. Unfortunately, I have been running into numerous dead-ends and I was hoping that this forum could provide some fresh insights.
My goal with this account is two-fold: I wish to isolate sensitive information on my computer so that if my main user account (that I use on the internet) is compromised, the intruder will not be able to reach the sensitive information. If the banking user account is compromised, then the rest of my system will be protected.
I am running windows 7 professional, 64 bit. Firewall/antivirus is Norton Internet Security. I have a DSL connection.
My concern is not with the physical security of the hardware - if an intruder breaks in they can simply steal the computer along with enough paper records to make identity theft easy...
In terms of the security of the computer from the internet, it seems to me that a bad guy would have two approaches. First he could attack the firewall or operating system. Second he could compromise the browser that I am using. (Opera by the way)
If a bad guy succeeds in breaking the firewall - that is getting the firewall to run code of the intruder's choosing - then he would be running code at the privilege level of the operating system. If that happens I'm toast.
On the other hand if he breaks through via the browser, then he would be running at the user level of the banking user. The question is, how can I make this as barren a landscape for running code as possible? It seems to me that APPLOCKER would be just the thing - the user could only run what programs I wanted...unfortunately this is not an option with Windows 7 Professional.
I've heard of software restrictions that could be set using the Group Policy editor but research seems to indicate that could be easily bypassed by simply coping files from one place to another. One site suggested this approach would not prevent one from executing a program via the command line...
Setting file system permissions also seem to be a deadend. Setting a Deny-Execute permission on the Program Files directory - where most of the programs reside that I wish to hide from an intruder's use - also failed. First because the directory was owned by TrustedInstaller and then after I took ownership, because the restriction could not be set on the subfolders. (I think I would have to take ownership of each nested subdirectory one at a time before I could set that permission.)
So now I throw it out to you guys - anything I can do? Any avenue I could take that I haven't yet been down? Any understanding that I am lacking?