From: "Hrvoje Mesing" 

Hi,

Windows Vista have a new Built-In Group called something like "Trusted
Installer"
If You are a member of the specified group, You can install software. Now,
what I cannot say is if that group is having "free" hands to
manage certain portions of Registry, but!, if You can give a
normal/standard/"only user" user this group membership (temporary
elevation of rights to install something) then it should be pretty clear
that it will not have an optio to manage Critical Registry data.

Ok, but for now ..

You could create special "installer" user with defined rights on
C:\Program Files\.. and with edited gpedit.msc Local computer Security
policies and with some tunned Registry Permission. That Way, You'll perform
Run As when installing application, but same application will not have the
rights to access designated Reg. Keys, etc. Think this is possible.

What You can do is create vbscript/javascript Event Sink on registry keys
you want and get a notification of a changes when there are any. (I'm using
the similar system to track down specific informations - You can do this
remotly becuase event sinks dispatch events back to requester :)


+ You got a point.
1. Windows Firewall can be managed through Registry and WMI - You can do
everything if You are an Admin.

Very interesting (so, You can administer it from the command prompt too :):

-----
netsh firewall>show

The following commands are available:

Commands inherited from the netsh context: show alias     - Lists all
defined aliases.
show helper    - Lists all the top-level helpers.
show mode      - Shows the current mode.

Commands in this context:
show allowedprogram - Shows firewall allowed program configuration. show
config    - Shows firewall configuration.
show currentprofile - Shows current firewall profile. show icmpsetting -
Shows firewall ICMP configuration. show logging   - Shows firewall logging
configuration.
show multicastbroadcastresponse - Shows firewall multicast/broadcast
response configuration.
show notifications - Shows firewall notification configuration. show opmode
   - Shows firewall operational configuration.
show portopening - Shows firewall port configuration. show service   -
Shows firewall service configuration.
show state     - Shows current firewall state.
-----

I must note that i use command prompt and WMI configurations often. What I
also must say is that I have notifications (firewall pop-ups) enabled for
all profiles and I *Never* saw one?! :)


2. There is a need for a special group/flagged that can be added to
user/whatever like one that is comming with Vista.

3. Windows Installer is NOT doing it's job .. or maybe ?!
    - Applications perform installation loggs so they can use them to
perform uninstall.
    - Windows Installer has Logging option per application setup (use
msiexec) or through gpedit.msc/and some other registry settings where You
can make this option Global (C:\windows\debug\..) and You can track
installations and modifications.
    Windows Installer must have an option to track every Installers install
procedure!

4. Admin can install and do everything, but!, can Administrator SEE what HE
is DOING in ANY Point of TIME ?! (?!?!?!?!?!)

5. etc., etc., etc., etc., etc., etc., etc ...


-+-
M.

--- BBBS/NT v4.01 Flag-5