Make a limited XP account without losing settings?
in [Design]
|
From: Nobody on 26 Jul 2010 00:55 On Sat, 24 Jul 2010 07:14:27 -0700, JosephKK wrote: >>I don't recall the exact number, but in Windows XP there were something >>like "many hundreds" of group policy settings, whereas in Windows Vista >>and Windows 7 there are now over 10,000. Amazing... >> >>---Joel > > Crickey, it has gotten worse than *nix ever was. That would be a good > selling point for Linux/BSD/Solaris/*ix/*ux. Conversely, if you *want* the 10,000 policy settings, you can use SELinux ;) The main problem with any kind of configurable policy is when you need to use a program written according to a "works on my system" principle. The whole Vista UAC mess was an attempt to implement relatively modest security policies without breaking a zillion applications written by people who thought it was perfectly reasonable to assume that normal (non-Administrator) users would be able to write to the "Program Files" directory. This left Microsoft with a "damned if you do, damned if you don't" choice. In spite of the inevitable customer dissatisfaction, they had to make using such applications sufficiently annoying that any developer who failed to update their practices would lose significant market share, otherwise developers would just continue developing for the Win95/FAT model (with no access controls) forever.
From: Joerg on 26 Jul 2010 13:36 Nobody wrote: > On Sat, 24 Jul 2010 07:14:27 -0700, JosephKK wrote: > >>> I don't recall the exact number, but in Windows XP there were something >>> like "many hundreds" of group policy settings, whereas in Windows Vista >>> and Windows 7 there are now over 10,000. Amazing... >>> >>> ---Joel >> Crickey, it has gotten worse than *nix ever was. That would be a good >> selling point for Linux/BSD/Solaris/*ix/*ux. > > Conversely, if you *want* the 10,000 policy settings, you can use SELinux ;) > > The main problem with any kind of configurable policy is when you need to > use a program written according to a "works on my system" principle. > > The whole Vista UAC mess was an attempt to implement relatively modest > security policies without breaking a zillion applications written by > people who thought it was perfectly reasonable to assume that normal > (non-Administrator) users would be able to write to the "Program Files" > directory. > Nothing wrong with that. For example, most CAD programs happen to have their lib files there and I sure want write access to that area. Which is one of the things that ticked me off with gEDA under Linux. > This left Microsoft with a "damned if you do, damned if you don't" choice. > In spite of the inevitable customer dissatisfaction, they had to make > using such applications sufficiently annoying that any developer who > failed to update their practices would lose significant market share, > otherwise developers would just continue developing for the Win95/FAT > model (with no access controls) forever. > Forcing developers to alter their ways via OS limitations will inevitable forces their customers to upgrade. Meaning $$$. Which has obviously backfired with Vista and maybe Win7 as well. Many businesses I know hang on to XP for that reason, and so do I. -- Regards, Joerg http://www.analogconsultants.com/ "gmail" domain blocked because of excessive spam. Use another domain or send PM.
From: Grant on 26 Jul 2010 16:17 On Mon, 26 Jul 2010 10:36:51 -0700, Joerg <invalid(a)invalid.invalid> wrote: >Nobody wrote: >> On Sat, 24 Jul 2010 07:14:27 -0700, JosephKK wrote: >> >>>> I don't recall the exact number, but in Windows XP there were something >>>> like "many hundreds" of group policy settings, whereas in Windows Vista >>>> and Windows 7 there are now over 10,000. Amazing... >>>> >>>> ---Joel >>> Crickey, it has gotten worse than *nix ever was. That would be a good >>> selling point for Linux/BSD/Solaris/*ix/*ux. >> >> Conversely, if you *want* the 10,000 policy settings, you can use SELinux ;) >> >> The main problem with any kind of configurable policy is when you need to >> use a program written according to a "works on my system" principle. >> >> The whole Vista UAC mess was an attempt to implement relatively modest >> security policies without breaking a zillion applications written by >> people who thought it was perfectly reasonable to assume that normal >> (non-Administrator) users would be able to write to the "Program Files" >> directory. >> > >Nothing wrong with that. There is. Trouble is that windows is now trying to be unix like ("every OS wants to grow up to be unix"), and MSFT bolts on extra complexity to try catch up on secure environment. > For example, most CAD programs happen to have >their lib files there and I sure want write access to that area. Which >is one of the things that ticked me off with gEDA under Linux. I don't know gEDA. Under unix/linux, there are defined areas for read-only code (/usr), as well as application writable area (/var). There's system areas and per-user areas. Very different to windows, and much better. One problem with Linux though is a number of apps want to treat it like a free windows replacement, which it is not. > >> This left Microsoft with a "damned if you do, damned if you don't" choice. >> In spite of the inevitable customer dissatisfaction, they had to make >> using such applications sufficiently annoying that any developer who >> failed to update their practices would lose significant market share, >> otherwise developers would just continue developing for the Win95/FAT >> model (with no access controls) forever. >> > >Forcing developers to alter their ways via OS limitations will >inevitable forces their customers to upgrade. Meaning $$$. Which has >obviously backfired with Vista and maybe Win7 as well. Many businesses I >know hang on to XP for that reason, and so do I. WinXP (windows 5.1, Win2k was 5.0) had a lot of work done on it, but corporate greed means MSFT dumping support for WinXP to try forcing people to Vista (windows 6), didn't work, now windows 6.1 labeled win7 (yet more MSFT spin) to try again, may not work either, as MSFT has again extended deadline for 'downgrade rights' on new PCs shipped with Win7 --> MSFT claims a Win7 sale, while allowing the user to downgrade that new machine to WinXP. There's no Linux Incorporated playing similar tricks. Grant.
From: Joel Koltner on 26 Jul 2010 16:38 "Grant" <omg(a)grrr.id.au> wrote in message news:g5qr46dvn06utplgmgj9eieldi9oe1jo7g(a)4ax.com... > On Mon, 26 Jul 2010 10:36:51 -0700, Joerg <invalid(a)invalid.invalid> wrote: >>Nobody wrote: >>> The whole Vista UAC mess was an attempt to implement relatively modest >>> security policies without breaking a zillion applications written by >>> people who thought it was perfectly reasonable to assume that normal >>> (non-Administrator) users would be able to write to the "Program Files" >>> directory. >>Nothing wrong with that. > There is. Trouble is that windows is now trying to be unix like ("every > OS wants to grow up to be unix"), and MSFT bolts on extra complexity to > try catch up on secure environment. I think that UAC as implemented on Windows 7 (Vista was way too annoying initially) is actually a ...reasonable... way to go (although I think the Mac OS does better here). There's always going to be a fundamental problem that your average home users *does* need to be able to write to "Program Files" without being forced to jump through a lot of hoops, yet of course many an IT guys doesn't want *any* of their users touching it. (Personally I tend to think many an IT guy wants to use technology to solve what are really policy problems, though. ...although it's become quite ubiquitous in society -- even *soldering irons* meant for production usage will now have special little electronic keys that the production supervisor retains so that the lowly production workers can't dare change the temperature. Sheesh! How was it we managed to build a spaceship to take us to the moon and back when we couldn't electronically prevent some guy working on the guidance computer from turning his soldering iron temperature up 25C more than he should have?) > I don't know gEDA. Under unix/linux, there are defined areas for > read-only code (/usr), as well as application writable area (/var). At least your average Windows user understands that "program files" probably contains programs and "documents and settings" probably contains application setting. /usr? Unix system resources? What's that? /var? Variable? Huh? And what's this /etc directory think where all the "odds and ends" seem to end up? ---Joel
From: Joerg on 26 Jul 2010 17:03
Joel Koltner wrote: > "Grant" <omg(a)grrr.id.au> wrote in message > news:g5qr46dvn06utplgmgj9eieldi9oe1jo7g(a)4ax.com... >> On Mon, 26 Jul 2010 10:36:51 -0700, Joerg <invalid(a)invalid.invalid> >> wrote: >>> Nobody wrote: >>>> The whole Vista UAC mess was an attempt to implement relatively modest >>>> security policies without breaking a zillion applications written by >>>> people who thought it was perfectly reasonable to assume that normal >>>> (non-Administrator) users would be able to write to the "Program Files" >>>> directory. >>> Nothing wrong with that. >> There is. Trouble is that windows is now trying to be unix like ("every >> OS wants to grow up to be unix"), and MSFT bolts on extra complexity to >> try catch up on secure environment. > > I think that UAC as implemented on Windows 7 (Vista was way too annoying > initially) is actually a ...reasonable... way to go (although I think > the Mac OS does better here). There's always going to be a fundamental > problem that your average home users *does* need to be able to write to > "Program Files" without being forced to jump through a lot of hoops, yet > of course many an IT guys doesn't want *any* of their users touching it. > > (Personally I tend to think many an IT guy wants to use technology to > solve what are really policy problems, though. ...although it's become > quite ubiquitous in society -- even *soldering irons* meant for > production usage will now have special little electronic keys that the > production supervisor retains so that the lowly production workers can't > dare change the temperature. Sheesh! How was it we managed to build a > spaceship to take us to the moon and back when we couldn't > electronically prevent some guy working on the guidance computer from > turning his soldering iron temperature up 25C more than he should have?) > It is indeed somewhat moronic. But you see it everywhere. "Do not put fluorescent bulb in mouth and bite down" and things like that. Just because some ambulance chaser succeeded once. The topper on the news came yesterday: A kid died because it had reclined the seat, all the way down, her sister fell asleep at the wheel, crashed the car, kid got killed because the seat belt won't protect when you almost lay down in a car. AFAIK the family "won" $1.8M. I mean, how much does it take to realize that when the safety belt is flopping about in the wind it won't protect? >> I don't know gEDA. Under unix/linux, there are defined areas for >> read-only code (/usr), as well as application writable area (/var). > > At least your average Windows user understands that "program files" > probably contains programs and "documents and settings" probably > contains application setting. /usr? Unix system resources? What's > that? /var? Variable? Huh? And what's this /etc directory think where > all the "odds and ends" seem to end up? > From a serious CAD user it can be expected that he or she understands the basics of file management. In fact, gEDA was written completely Linux-centric, ports to Windows have largely failed because some not so compatible code must have been employed (in laymen's terms). Yet even gEDA does what every CAD does, store libraries in program directories. Meaning user libs and non-custom libs get splintered up. What's wrong with allowing write access to the lib directory? I don't want an OS to tell me what I can't and cannot do, just like I don't want a car to decide when to shift :-) -- Regards, Joerg http://www.analogconsultants.com/ "gmail" domain blocked because of excessive spam. Use another domain or send PM. |