Code:
Windows Vista protects %systemroot% files and folders with permissions designed for Windows Resource Protection (WRP), which can only be accessed by the System service. Administrators can read system files and folders but cannot write to them. Note that this differs from previous versions of Windows.
While it may seem clear that all users should not be able to read, alter, and delete any Windows resource, many enterprise IT departments have no other option but to make all of their users administrators.
The following are some reasons why enterprises run as administrator today:
so you see, you may not get around the issue without promoting PowerUsers to Admins...
* Application installation (members of the Users group cannot install or uninstall applications): Many enterprises have no centralized method for deploying applications to their users, such as Microsoft Systems Management Server® (SMS), Group Policy software installation (GPSI), or another similar application deployment technology. Enterprises that do utilize software deployment technologies allow users to run as administrator because of ad hoc application installations for specialized applications for specific departments (a custom spreadsheet application for the Marketing department, for instance).
* Custom Web applications (ActiveX controls): With the growth of the independent software vendor (ISV) community, many companies are opting to have custom applications designed for their specific business requirements. Many of these custom applications include a Web browser front-end, which requires an ActiveX control to be installed. Because ActiveX controls are executable files and can contain malware, Windows prevents members of the Users group from installing them.
* Perceived lower TCO (reduced help desk calls versus reduced attack surface): Many enterprises believe that allowing users to install their own applications will help limit the number and cost of Help Desk calls. Unfortunately, running your enterprise workstations as administrator also makes your network vulnerable to “malware”—the overarching term for all malicious software, including viruses, Trojan horses, spyware, and some adware. Malware can exploit a local administrator account’s system-level access to damage files, change system configurations, and even transmit confidential data outside of the network.
