New
#1
Using SRP and LUA to protect PC
My brother's PC has managed to get infected, despite using Avast and Sandboxie for his browsing, so I'm looking at changing his account to a LUA and setting a SRP as per this guide to prevent programs running from other than the specified folders.
Preventing computer malware by using Software Restriction Policies. | Peter Gubarevich
I don't think this will be effective unless I change his account to a LUA, as otherwise malware could easily just change the registry key to disable the SRP. I think I also need to set the SRP to NOT apply to administrators, so that he can switch to an Admin account and do stuff that the SRP blocks under his LUA.
The issue I have though is how he will install/update software when he needs to. I know he can switch to the Admin account to do this but then won't the software be installed under that account (or the Administrators group) and thus not accessible to him? It's also quite inconvenient if he has a browser open that explains how to do something and then he finds it can't be done under the LUA, so he switches to the Admin account but then he can't see the guide anymore and has to keep switching back, or open a browser under the Admin account, copy the url from the LUA and then paste it into the Admin browser.
Also, Avast seems to run it's updater from the temp folder and I obviously can't include that in the SRP whitelist as then anything could run from there.
I found I can run some stuff with Shift+Right click -> Run as different user and enter the Admin credentials but this doesn't seem to work for everything. For example, if I open Windows Explorer that way, then right-click on C: -> Properties - Security - Advanced - Auditing, then it tells me I don't have permission, the same as if I'd ran Explorer as the Standard user.
So can anyone explain the proper and most convenient way to run in this way?
Edit: I forgot to mention that Run as Administrator doesn't work on my system for most stuff, only Run as Different User.