Painless User Group Experience
(Pretty Version)
By Soda_Popinsky

The technically adept have a problem on Windows. We want full control of the OS, but we want the security of the User Group. "Run as..." sucks, it doesn't work with .msi files, and admin control panel items don't work unless you login as an administrator. I intend to solve the horrid experience with this article, it has been a blessing for me thus far. Screenshot of the end result is attached.

The major security issue with the Windows operating system is the "out of box experience" that encourages everyone to run as an administrator. The major benefit to Linux is the ease of switching back and forth between priviledged and lesser priviledged accounts with "su" and other applications that prompt for admin rights. This article will focus on a few fixes to allow us to easily install software and configure the system without fully switching between accounts.

First, as an administrator, visit the Control Panel and create a new "limited" account. Name it something sexy, because you'll be using it from now on. Login to this account.

Imitating Linux "su"
The command line method of running software under another account is with the "Runas" command. We can imitate the Linux "su" command with a small batch file and a quick launch icon. Create a file named rootshell.bat in your "My Documents" folder, and fill it with this text:

runas /user:AdminName cmd
Change "AdminName" to the name of your administrative account. Once saved, drag the batch file into your quick launch panel and click on it. You'll be prompted for the admin password, and you now have a root shell. You can now drag & drop .msi install packages into this window and install them (.msi files don't have a "Run as..." context menu). You can change the icon if you like by right clicking it and changing it's properties.

Easy Administrative Control Panel
The other big problem is getting an administrative control panel without logging out and logging in to a administrative account. Lets solve that with another batch file, but first we need to make an adjustment to the way explorer handles new windows. Follow through with this quick adjustment in the admin account you are using (From MSKB)

To open each folder in a separate part of memory

Open Folder Options in Control Panel.
Click Start, and then click Control Panel.
Click Appearance and Themes, and then click Folder Options.
On the View tab, select the Launch folder windows in a separate process check box.
Once done, create another batch file named rootcontrol.bat in your "My Documents" folder, and fill it with this text:

runas /user:AdminName control
Again, change "AdminName" to the name of your administrative account. Then drag the file to your quick launch panel and change the icon to something prettier if you wish. Click on the icon in your quick launch, and enter your admin password. You now have an administrative Control Panel open.

These two quick launch icons will give you any control you need during your time spent in a lesser priveledged account. It is extremely hard for malicious software to do damage with an account in the Windows "User" group.