From: "Rich" 

This is a multi-part message in MIME format.

------=_NextPart_000_0188_01C5BAE4.5F6BD760
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

   You misunderstand Trusted Installer and everything that follows is =
based on this misunderstanding.

Rich

  "Hrvoje Mesing"  wrote in message =
news:432b1165{at}w3.nls.net...
  Hi,

  Windows Vista have a new Built-In Group called something like "Trusted =

  Installer"
  If You are a member of the specified group, You can install software.
  Now, what I cannot say is if that group is having "free" hands to =
manage=20
  certain portions of Registry, but!, if You can give a =
normal/standard/"only=20
  user" user this group membership (temporary elevation of rights to =
install=20
  something) then it should be pretty clear that it will not have an =
optio to=20
  manage Critical Registry data.

  Ok, but for now ..

  You could create special "installer" user with defined rights on =
C:\Program=20
  Files\.. and with edited gpedit.msc Local computer Security policies =
and=20
  with some tunned Registry Permission.
  That Way, You'll perform Run As when installing application, but same=20
  application will not have the rights to access designated Reg. Keys, =
etc.
  Think this is possible.

  What You can do is create vbscript/javascript Event Sink on registry =
keys=20
  you want and get a notification of a changes when there are any.
  (I'm using the similar system to track down specific informations - =
You can=20
  do this remotly becuase event sinks dispatch events back to requester =
:)


  + You got a point.
  1. Windows Firewall can be managed through Registry and WMI - You can =
do=20
  everything if You are an Admin.

  Very interesting (so, You can administer it from the command prompt =
too :):

  -----
  netsh firewall>show

  The following commands are available:

  Commands inherited from the netsh context:
  show alias     - Lists all defined aliases.
  show helper    - Lists all the top-level helpers.
  show mode      - Shows the current mode.

  Commands in this context:
  show allowedprogram - Shows firewall allowed program configuration.
  show config    - Shows firewall configuration.
  show currentprofile - Shows current firewall profile.
  show icmpsetting - Shows firewall ICMP configuration.
  show logging   - Shows firewall logging configuration.
  show multicastbroadcastresponse - Shows firewall multicast/broadcast=20
  response configuration.
  show notifications - Shows firewall notification configuration.
  show opmode    - Shows firewall operational configuration.
  show portopening - Shows firewall port configuration.
  show service   - Shows firewall service configuration.
  show state     - Shows current firewall state.
  -----

  I must note that i use command prompt and WMI configurations often.
  What I also must say is that I have notifications (firewall pop-ups) =
enabled=20
  for all profiles and I *Never* saw one?! :)


  2. There is a need for a special group/flagged that can be added to=20
  user/whatever like one that is comming with Vista.

  3. Windows Installer is NOT doing it's job .. or maybe ?!
      - Applications perform installation loggs so they can use them to=20
  perform uninstall.
      - Windows Installer has Logging option per application setup (use=20
  msiexec) or through gpedit.msc/and some other registry settings where =
You=20
  can make this option Global (C:\windows\debug\..) and You can track=20
  installations and modifications.
      Windows Installer must have an option to track every Installers =
install=20
  procedure!

  4. Admin can install and do everything, but!, can Administrator SEE =
what HE=20
  is DOING in ANY Point of TIME ?! (?!?!?!?!?!)

  5. etc., etc., etc., etc., etc., etc., etc ...


  ---
  M.=20


------=_NextPart_000_0188_01C5BAE4.5F6BD760
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable








   You
misunderstand Trusted =
Installer=20
and everything that follows is based on this =
misunderstanding.
Rich
 

  "Hrvoje Mesing" <Hrvoje.Mesing{at}zg.htnet.hr&g=">mailto:Hrvoje.Mesing{at}zg.htnet.hr">Hrvoje.Mesing{at}zg.htnet.hr&g=
t;=20
  wrote in message news:432b1165{at}w3.nls.net...Hi=
,Windows=20
  Vista have a new Built-In Group called something like "Trusted=20
  Installer"If You are a member of the specified
group, You can =
install=20
  software.Now, what I cannot say is if that group is having
"free" =
hands to=20
  manage certain portions of Registry, but!, if You can give a=20
  normal/standard/"only user" user this group
membership (temporary=20
  elevation of rights to install something) then it should be pretty =
clear=20
  that it will not have an optio to manage Critical Registry=20
  data.Ok, but for now ..You could
create special =
"installer"=20
  user with defined rights on C:\Program Files\.. and with edited =
gpedit.msc=20
  Local computer Security policies and with some tunned Registry=20
  Permission.That Way, You'll perform Run As when installing =
application,=20
  but same application will not have the rights to access designated =
Reg.=20
  Keys, etc.Think this is possible.What You
can do is create =

  vbscript/javascript Event Sink on registry keys you want and get a =

  notification of a changes when there are any.(I'm using the =
similar system=20
  to track down specific informations - You can do this remotly =
becuase=20
  event sinks dispatch events back to requester
:)+ You got =
a=20
  point.1. Windows Firewall can be managed through Registry and WMI =
- You=20
  can do everything if You are an Admin.Very
interesting =
(so, You=20
  can administer it from the command prompt too =
:):-----netsh=20
  firewall>showThe following commands are =
available:Commands=20
  inherited from the netsh context:show =
alias     -=20
  Lists all defined aliases.show
helper    - Lists =
all the=20
  top-level helpers.show
mode      - Shows =
the=20
  current mode.Commands in this context:show
allowedprogram =
- Shows=20
  firewall allowed program configuration.show =
config    -=20
  Shows firewall configuration.show currentprofile - Shows current =
firewall=20
  profile.show icmpsetting - Shows firewall ICMP =
configuration.show=20
  logging   - Shows firewall logging
configuration.show=20
  multicastbroadcastresponse - Shows firewall multicast/broadcast =
response=20
  configuration.show notifications - Shows firewall notification=20
  configuration.show opmode    - Shows
firewall =
operational=20
  configuration.show portopening - Shows firewall port=20
  configuration.show service   - Shows firewall
service=20
  configuration.show
state     - Shows current =
firewall=20
  state.-----I must note that i use command
prompt and WMI=20
  configurations often.What I also must say is that I have =
notifications=20
  (firewall pop-ups) enabled for all profiles and I *Never* saw =
one?!=20
  :)2. There is a need for a special
group/flagged that can =
be added=20
  to user/whatever like one that is comming with
Vista.3. =
Windows=20
  Installer is NOT doing it's job .. or maybe
?!    - =

  Applications perform installation loggs so they can use them to =
perform=20
  uninstall.    - Windows Installer
has Logging =
option per=20
  application setup (use msiexec) or through gpedit.msc/and some =
other=20
  registry settings where You can make this option Global=20
  (C:\windows\debug\..) and You can track installations and=20
  modifications.    Windows Installer
must have an =
option to=20
  track every Installers install procedure!4.
Admin can =
install and=20
  do everything, but!, can Administrator SEE what HE is DOING in ANY =
Point=20
  of TIME ?! (?!?!?!?!?!)5. etc., etc., etc., etc., etc., etc., =
etc=20
  ...---M.


------=_NextPart_000_0188_01C5BAE4.5F6BD760--

--- BBBS/NT v4.01 Flag-5