Configuring Windows 7 for a Limited User
Windows 7 recognizes three broad classes of users: The built-in “Administrator” account: This account is special for a number of reasons, and is disabled by default in Windows Vista and Windows 7. Because this account explicitly turns off some important security features (such as Internet Explorer® Protected Mode) as well as UAC, it’s a really bad idea to use Administrator for anything. Keeping this account disabled will help keep you safer! An account with administrative rights: Though a user has the ability to elevate to admin rights due to membership in the local Administrators group, UAC interposes itself at key times with prompts that confirm your intentions. This is the Prompt-for-Consent mode, and upon clicking Yes, it will elevate the task and run as an Administrator. For performing administrative tasks, always use this kind of custom admin account instead of the built-in Administrator. Windows 7 introduces a slider to the UAC settings that allow for changing the level of UAC prompts, including a setting to disable it entirely (Admin-approval mode). A standard, limited user: UNIX and Linux systems have never had the confusion between what’s an administrative task and what’s a user task—it was simply always apparent which was which. These accounts simply do not have the power to perform administrative tasks directly, nor do they have the ability to elevate with a mere confirmation. They instead require credentials such as a password or a smartcard. For a detailed version of this article visit Microsoft Technet.