I was just skimming this exhaustive article by Mark Russinovich on Microsoft’s TechNet site, hoping to understand just why those User Account Control pop-ups in Vista have to be so annoying. Much of his treatment is far too detailed for me to care about, but in the second-last paragraph, Russinovich tosses out this little bombshell:
“…users who want to forgo security in favor of convenience can disable UAC on a system in the User Accounts dialog in the Control Panel, but should be aware that this also disables Protected Mode for Internet Explorer.” [my emphasis]
In other words, if I read this right, you have to accept the incessant nag dialogs of UAC in order to get the benefit of the vaunted sandbox for IE… even though the latter is exactly the sort of feature a power user might want to count on for ‘invisible’ protection! Worse, there’s no warning of this hidden connection; I disabled UAC with no idea that I was giving up the other feature. (Note that the free Sandboxie utility doesn’t seem to make this kind of demands. Yet another touted Vista feature that apparently could have been implemented — better — on Windows XP.)
Russinovich also reiterates Microsoft’s position that UAC is “a convenience” (who says they don’t have a sense of humor?) and not “a security boundary.”
I think the idea is that you should run as an admin but give up most of your admin rights — then constantly beg for them back. The benefit of this contortion is nebulous at best. Russinovich notes that malware can intercept the UAC process, though he says that this type of attack would be “relatively sophisticated.” (Thank god today’s hackers are incapable of sophistication!)
From Russinovich’s explanation, it would seem that the only way to get any real value out of the new Vista rights scheme would be: run most of the time in a standard user account, and switch to a separate admin account (with UAC disabled!) when elevated privileges are required. To me, this would seem to give exactly the same level of security that the Linux crowd likes. (While working pretty much exactly the same way that it does in Linux… or, presumably, that it could work in Windows XP.)
All of which leaves me right back where I started, with UAC still looking like nothing more than a redundant annoyance. Worse, actually; it now looks to me like a way of fooling yourself into thinking you have the security of running in a user account, with twice the hassle and very little (if any) of the actual benefit.
If someone more knowledgeable in this area wants to convince me I’m mistaken, by all means fire away.