>There's yet another solution that might be able to give you the best of >both worlds - there is such a thing as a restricted user token under Win2k >- you copy your token, strip it of the rights and groups that you want to >go away (this is permanent), then create a process using the stripped >token. Now you're still running it as you, but you've shed any privileged >groups, and shed any rights that you don't want your browser to have. Does this mean that all processes spawned by the process with the restricted token also have the restricted token? That's the problem with Run As... Processes spawned under a Run As... process often (I haven't been able to figure out when and why) have the token of the process that started the Run As.... To illustrate, User 1 spawns a web browser in the context of User 2 using Run As... The web browser spawns a new process, for example an Active X control. The ActiveX control, under certain circumstances which I don't know what they are, will run in the process of User 1. Also, how do we create this restricted token? Is there an easy command to do that, or can we only do it by digging into the API. Jesper M. Johansson
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:29:20 PDT