advice - separate user account

I have an IBM PC using Windows XP and the only account is my administrator account. A friend recently advised me to set up a second user account and to only use that account for the Internet. His reasoning was that malware could not penetrate the user account, although it could penetrate the administrator account. Your thoughts, please
Thanks George

 

Malware will get on your system on any account you may be using.

Setting up a new limited account to surf the net will minimize the access the malware has once it gets on your system.

The Admin account has full access and allows changes to be made to system files and to the registry letting the malware get deep into your system. With a new limited account you can still get malware or viruses but they have no ability to make system wide changes letting you catch and rid your system of pests before they do to much damage.

Which ever account you surf with make sure you have Anti-virus and firewall software running at all times.

 

Hi George, your friend is indeed a friend to offer that advice. I'm always banging on about this. Microsoft (Winternals) own figures say that over 75% of the malware are ineffective unless on an account with windows XP administrator privileges, simply because they can't install themselves!

You should create a new administrator account and demote your existing one to limited user. That way you will retain all your settings, email etc. Make sure you create the new a/c before demoting the other! Updates will still work in the background whilst you are logged on the net as a limited user. The only title you can not give your new admin account is 'administrator'

Start>control panel>users and passwords and follow the instructions.

While you are there use the password wizard to create a password recovery floppy if you have any set.



Studio T

 

Set up a limited account for just surfing, and you should also change your "Administrator" name to something else, in XP Pro. In XP Home the "Administrator" account only runs in safe mode. If you use a guest account, change its name too, And password all accounts.

 

Windows user passwords provide no extra internet security. They only protect you from other people in the same house with physical access to the pc.

Studio T

 

Now I understand the logic of using a separate account for surfing and I have established a separate, restricted account. Can I also view my Outlook Express in this account? Thanks in advance
George

 

NO
Every new account is just that. A NEW account.

Studio T

 

If you don't choose to make files and folders private you should be able to access another accounts documents.

 

No the logic isn't to surf with a separate account. All normal use should be through a limited account. Viruses can come from floppies, USB sticks, even manufacturers' driver CD's have been known to carry them.

Using a pc whilst logged on as the administrator is not macho it's foolish.

It's highly unsatisfactory to have some of one's documents in one user and some in another, doubly so with email.
Just re-read post 3 for the most convenient route.

Studio T

 

studiot
I apologize for my poor use of terms. I am probable one of those people who should not own a computer. I did open a limited account, with which I'll do all my surfing. My Outlet Express is not on the limited account desk top. Is there a way to use OE in the limited account?
George

 

Hi George,
There is nothing wrong with your use of English. I understood you perfectly.

There are two separate issues.

Firstly whenever you use a computer you are at risk from malware. If you are logged on as administrator you are at least three times as likely to fall prey. This is true even if you are not even connected to the internet because malware can come from many sources.
Many companies are now banning the use of usb sticks, or disabling them, as that particular threat is growing rapidly and we are seeing specialist viruses which target them.
Most of the time you USE your computer. That is you run programs -- games, word, photoshop, the internet, whatever. When you do this as a limited user you can create data files, read data files, edit data files and even delete data files. But you can not change the program itself, nor can you change Windows. You can't install/uninstall programs either. Thus nor can a virus.
So you should do most of your computing logged on as a (limited) user.

Occasionally you will need to log on as an administrator to install an new program or something such as that new asto-golf program you had for Xmas. Or perhaps to create a new account. You can create many new accounts and each can have administrator priviledges or limited user priviledges. However each new user account you create comes with a brand new set of its own my documents, settings for each program installed and email folders. If you start to use outlook (express) in one of these you will need to reestablish the settings with your ISP. Then you will have all the new email here but not see any of the old. Worse on the old account you will not see any of the new.

Secondly given that you already have an account that you have been using you will doubtless have documents you have created and emails you have sent/received and many personal settings. You won't be sending email as an administrator will you ? So it is best (most convenient) to make the NEW account into the administrator and convert the existing one to limited user.

Think about it! You can still do this by converting the new account to administrator and...............

Studio T

 

Re: advice - separate user account - thanks

Thank you, thank you
George

 

Great advice here.
I want to change my main account to a limited account (after creating a new admin acct), for the reasons listed here, but I have a problem: I have DSL, and like to use Network Connections (via a desktop shortcut) to disable the connection when I am away from my desk for long periods, with the assumption that this adds to security.
But in Limited mode, the Disable button is grayed out and can't be used. Is there a way to enable certain functions like this in a limited account? I have Win XP Home sp2. I don't seem to have a Power User option (is that just in Pro?).
Any information appreciated. --JWD

 

Not sure if you can, JW, but I'll think about it and come back. As you say XP home is short of the policies available in Pro.

Studio T

 

I knew I should have gotten Pro...
Thanks

 

My further research reveals that there seems to be no solution to this problem, short of shutting off/unplugging the modem. It seems a shame that if you go to a limited user account to bolster security, you have to give up the ability to conveniently disconnect when you want to, thus reducing security.
JWD

 

Switching it off is easy - just use ctrl+alt+del. It's switching it back on when you come back that's tricky.

Any of the dsl modems which keep the user and password in the pc not the modem can be switched on and off as you want. Most of the early usb types were like this. I have one I carry to jobs for testing purposes.

Studio T