Windows

Talking Shop: Installing apps in Windows 2000

See what strategies TechRepublic members suggest for installing apps under Win2K without compromising security.

I've been parallel processing lately, testing beta releases of Windows Millennium Edition on one machine, while still using Windows 2000 for my main production system. After a full day of switching back and forth, I feel a little like I've been commuting between parallel universes. Despite similar user interfaces, the two operating systems might as well be from different planets. I pity the poor Windows 98 user encountering Windows 2000 for the first time; chores they can handle in their sleep in Windows 95/98, like installing a new program or copying a group of files, can lead to a cascade of error messages if permissions aren't set properly.

I get frequent e-mails from Windows 2000 newbies who are puzzled, at least temporarily, by the whole concept of user accounts. One such e-mail inspired the Microsoft Challenge of May 4. According to Microsoft, you should never use an administrative account for everyday computing, especially if you're connected to the Internet. But that causes big headaches for power users who want to install new applications. In fact, many install programs simply won't run unless you have administrative rights. So I asked TechRepublic members: What sort of best practices should Windows 2000 Professional users follow when installing new software?

Member tysonmathews did a fine job of explaining the most serious issue: "It is a good practice to have both a normal and admin account," he wrote. "Use the admin account only when necessary, such as to install TRUSTED software. Untrusted software should be installed/run from a normal user account to ensure that malicious acts do not affect your entire system. Using both admin and non-admin pretty much makes Trojans impractical, since they cannot alter system resources that could be used to load the Trojan on start-up."

Of course, those same protective mechanisms can get in the way when an application needs to add or change a registry key or save data files to a shared folder. I'm grateful for those rare occasions when I find apps that are completely aware of multiuser systems and offer you a choice as to how to install. Unfortunately, I can remember seeing only one such app in the past two years, and I don't even remember its name.

Most mainstream Windows apps written for Windows 95 or 98 assume the user has full rights to the registry and the file system. That can cause problems under Windows NT/2000 if the Setup program tries to write a registry key whose access rights are reserved for administrators. Conversely, some programs written for Windows 2000 and NT make the opposite mistake, assuming that only administrators can install the application.

What's a power user to do?
Several TechRepublic members suggested the idealistic answer: Stick with programs that use Microsoft Installer technology, which manages application installation as a service. Unfortunately, besides Microsoft Office 2000, there aren't all that many programs that use Installer packages yet. Maybe when Windows 2010 is ready.

A few fearless readers argued for assigning full administrative privileges to your own account to eliminate the hassles. Sorry, not on my system.

A solid majority of pragmatists recommended using the RunAs option. That's probably the best solution for day-in and day-out use, because it allows the user to log on using an administrator's account without having to close all running programs. TechRepublic member msullivan laid out an entire program of sensible dos and don'ts (and earned the full allotment of TechPoints in the process):
  • DO create two accounts for each power user: one for normal use, one for administrative rights. "Good" programs will install under Win2K as the normal user. "Bad" programs will require administrative logon, or "Run As."
  • DO block Internet access and e-mail for these administrative accounts. This will discourage everyday usage of the administrative account and protect your systems.
  • DO use Group Policy to manage this tangled web of users and rights.
  • DO use Group Policy to manage the distribution of the software. Software distributed by GPO will be installed under the elevated privilege of the local system account.
  • DON'T put the administrative accounts in the local admin on every computer—only where that user will actually log on locally.
  • DON'T buy software that requires administrative rights just to be installed unless you absolutely have to.

My solution? A hybrid that has worked well for me for as long as I've been using Windows NT/2000. For starters, I never install any application I don't trust—not on a production machine, anyway. I always install a new application twice. First, I log on as Admin and run the Installation program. This ensures that the software has the full rights to add or edit registry keys and data directories. Then, I log on with my regular user account and reinstall the application. This second install adds shortcuts to my personal profile and sets up any per-user registry keys. The extra step may seem like a hassle, but in the long run I've discovered it actually saves me headaches.

Here's Ed's new Challenge
Last week, I asked for Explorer replacements. This week, the Challenge is to replace the underpowered Notepad with a real editor. Two ground rules:
  1. Be sure to include the URL where I can find the software.
  2. Don't forget to list the killer feature(s) that make this one worth trashing Notepad for.

I'll hand out 250 points to each nominee. Think your editor is the best? State your case here . But don't delay—this challenge closes at the end of the day on Thursday, May 25.

Editor's Picks