Safe browsing pointers

[opera1217b1863]

Does this silence mean there will be no technical arguments in favor of the silent elevation?

[New Tobin Paradigm]

Silent elevation.. and i am sorry for not responding sooner is not by any means best practices.. but it is there if you want it..

Kinda think about it like this.. You have a virus scanner.. the virus scanner active monitoring is turned off or you have whitelisted and entire drive because the files will trigger it but you know nearly all of them are false positives.. but you do open your self up for something that is not.. it is a tradeoff to not get bugged by such warnings..

Though i know that isn't a 1:1 argument but it is better to have a virus scanner there even if it isn't preventing files from being opened on a particular drive..

[opera1217b1863]

Silent elevation.. .. but it is there if you want it...

If something "is there" (i.e. is technically possible) it does not mean one should do it.
It all depends.

What was not EXPLICITLY installed by an admin (assumed - after his full vetting/scanning/checking/setting-up) - that SHOULD NOT be allowed to run for a LUA. Ever.
Disabling UAC does just this: any attempt to run it fails with a clear OS's warning.

[Moonchild]

I think we're talking about two different scenarios here, anyway.

For a normal user, the user is the admin. They are not two different people. "The worm is the spice; the spice is the worm"

As a result user elevation is a good middle ground between running an open system with free reign for malware and having to use a strict separation that has its own pitfalls (in the human factor when switching accounts is required, see my previous posts).

Using strict separation is a viable alternative, of course, but makes for a lot less convenience and ease of use. Ease of use is very important for computer users; a computer is supposed to be enabling and a tool, not restrictive. Strict separation isn't a requirement for safe browsing, but it is a possible way to go about it if you so choose. UAC is a just as viable alternative with a lot more convenience for the user, but obviously putting the task of more responsible use in the user's hands as opposed to just not making it possible and shifting that responsibility to separated maintenance sessions or different people (in a corp environment, for example).

The $10,000 question is therefore: Can you be a responsible user?
If yes, UAC is for you.
If no, a restricted LUA and someone else administering your computer for you is your solution.

[Night Wing]

"The worm is the spice; the spice is the worm"

Off-topic:
I know Muad'Dib (Paul Atreides of the House Atreides) would agree with on the planet Arrakis (Dune).

[opera1217b1863]

The $10,000 question is therefore: Can you be a responsible user?
If yes, UAC is for you.
If no, a restricted LUA and someone else administering your computer for you is your solution.

I would not bring this to such extremities.

I am an admin on my PC, but this does not mean I sit under my admin's account 100% of my time.
I do not understand why so much fuss about having (and using!) a separate account - non-administrative one - for everyday jobs.
May be I' special, but do not constantly install/uninstall/tune/fix/hack my OS and/or software in it.

What I do everyday is:

1. use OpenOffice for text documents;
2. read/write e-mails;
3. browse articles for my professional interests, search for informations in my field, for news, and so on;
4. some SIP phone-calls.

Neither of those things require admin's powers, so I have no reason to log-in to admin's account when I power-up my PC in the morning.
It is each second Tuesday that is different - when I use admin's powers to install updates.
And very-very rarely I have to re-log-in to update my working set of software (browser update or OpenOffice new release, etc).

A quiet life is it.

PS
I forgot to mention that one has to set the OS to require digital signatures for drivers being installed.
I'm updating my initial post on that matters.

[Moonchild]

Closing this thread, I think everything has been said on this matter that could be said. Anything more would just be even more rehashing than what has already been done.