| I don't install Flash, Adobe PDF reader, or Java as well. JS is enabled
| in FF; but not with IE. (If fact, I try not to use IE at all.)
| But some exploits are directly in Windows itself.
I don't know what you mean. Do you mean like
attacks in email? That should also be blocked by
disabling script, HTML and remote linking in email.
Of course there could be attacks through
attachments. I sometimes get booby-trapped ZIP
files. One just needs to be careful. When the email is
from "Bridgette Wong", whom I've never heard of,
and the subject is "your contract", then I look at
the email as source code before opening it. :) I
also tell friends to write *something* in the email if
they expect me to open an attachment, so that I
know that they know they sent it.
I don't know what other kinds of exploits might
be "in Windows itself". It has to come from somewhere
outside: webpage, download, email, USB stick with
auto-run enabled, etc.
Most problems are with those Web-connected
programs. And those problems are nearly all related
ago there was a bug in gdiplus.dll that allowed
attacks via corrupted JPG files. That actually required
a Windows update to fix. But those problems are rare.
| Unless you are
| constantly installing software, I cannot see where the extra user-level
| dialog boxes (the ones that ask for an admin password) cause enough
| bother to offset the protection they can sometimes provide.
I don't like distractions and obstacles, especially
when they're unnecessary. As I said, I've never
had a problem, so the hassle would not be providing
protection. It would be like putting kiddie locks on all
of my kitchen cabinets. They'd drive me crazy, and
no kids live here.
For friends who don't know how to be careful
I install AV. That should let them know if something
tries some funny business. And I warn them about
email attachments. Even for them, lackey mode
seems like overkill to me. It's mainly designed to keep
corporate employees from doing anything they don't
have permission to do. One case of the OS telling me
I don't have permission to access a file is one case too
many of idiotic obstacles, from my point of view.
And as I pointed out above, most exploits that work
are now designed to bypass restrictions.
There are pros and cons to both sides of the argument.
The problem is that the pro-restriction side always talks
like their view is simply right. It's not "right". It's one
approach, which is designed primarily for corporate
customers. In recent years it's also become the norm in
general usage, due to 3 dovetailing causes:
1) Corporate IT people only know the admin/lackey model
and tend to advise about what they know.
2) Security online has become more of a problem.
3) Microsoft want to close down control of the system in
order to sell services. Causes #1 and #2 provide them with
a perfect excuse to move in that direction, with Microsoft
essentially becoming your IT admin/boss. They can access
files that you can't. Restrictions also help MS to reduce
tech support costs. If you can't touch anything but your
own DOC files then you can't break anything and therefore
won't be calling MS to get it fixed.
Windows 10 is very gradually moving toward being
interactive TV, selling you services while spying on
you and showing you ads. The widespread fallacy that
it's not safe to allow yourself access to your own
computer is helping them to achieve that.
So all I'm advocating is a reasoned approach. If you
want to run restricted that's fine. If you want a
governor on your car speed, or a protective grille around
your stove burners, or complex blade guards on your
table saw, or grab bars in your shower (as someone was
talking about above)... All those things could make some
sense. But that's not the same as saying everyone
should do what you do.