Originally Posted by
bionicarm
http:///forum/post/3173467
Define "limited user". Standard accounts are good for users who you don't want to add applications, change settings, or delete critical system files. However, I don't know of any "standard" Windows account that can keep viruses, malware, trojans, or spam from getting on a computer. I deal with network and system attacks on a daily basis. I have seen and played with some of the nastiest stuff you can find on the internet. I guarantee you I've seen code that can break into even the most secure PC out there. The only secure way to completely keep this type of code off your machine is to disconnect it from the network. Of course that's not even an option in today's computer environments. The next best thing is detection software and a firewall.
Nothing protects 100%, obviously.
The same limitations of standard users that prevent them from installing software and making changes are the ones that stop the malware. Since executables run by the interactive user have the same rights as that user, they also are restricted from making changes. Standard do not have permissions to change almost all folders except %userprofile%, and do not have permissions to alter HLKMSoftwareMicrosoftWindowsCurrentversionRun (and similar keys).
Without these two permissions, it's very difficult for most malware to set itself up to be hidden or run automatically on startup. About all it's able to do is copy itself to the user's temp folder and place a shortcut in the startup folder of the start menu.
The nice thing about that is that all you need to do to get to a point where the malware isn't running is log on as a different user.
Of course, some malware can take advantage of exploits in the OS and get in that way, but most malware writers assume that the user who is logged in has administrative rights to the system, because in 99% of the cases, it's true.
If you want a success story... at my company we were dealing with malware infections basically daily, and a huge virus outbreak would occur every few months. About 3 years ago we stopped giving users administrative rights to their machines. We have not had one virus outbreak since, none. Malware... we occasionally (like once or twice a year) see something that detects the lack of admin rights and put itself in the temp folder, but removing it takes moments now rather than serious time.
In short, I've never seen the scheme work wonderfully at stopping 99% of all intrusions, but I'm not saying it's perfect.