Me.
I also use a Software Restriction Policy, which means that nothing can run from any location other than \Windows or \Program Files. If I want to run an installer, I download it from the author's site and verify the ShA1 / MD5 hash ( when available ).
I then :
1. Right click and "Run as Administrator"
or
2. move it under \Program Files and run it from there as a Standard User. IF it's a well written installer that doesn't demand Administrator rights unnecessarily. The complexity of modern software means that such installers are rare, though.
Luckily everything I use behaves under UAC, so I don't find it inconvenient to work within such a restrictive environment.
I don't know if the ActiveX / Flash components of browsers can write to locations that require higher privileges than the privileges that the browser was launched with. I'm guessing they can't, in which case running IE in Protected Mode ( or e.g. Firefox as another User ) from within a Standard User account, should severely limit the damage these exploits can inflict.
You make it sound so easy
When I replace laptop HDD I'll try and follow this advice, as normally just use laptop for browsing.I used to disable Flash plug-in in Internet Explorer, and only re-enabling it for Youtube and alike sites. But got bored of that and just leave it enabled now.
Would be interested to know from Nathan if Google Chrome is considered better than Internet Explorer Protected mode when using Adobe Flash. I'd prefer to use SRWare Iron than Google's information farming Chrome browser. If was considered better than Internet Explorer.
