Windows 10-: How do I create a user account that does not allow downloads?

My mother's downloaded a virus to her computer. I want to prevent this from happening again so I want to create a user account that does not allow downloading of anything.
From what I read, a Standard account will not allow any type of downloading or installation.
However I was able to download and install Windows Essentials while logged into her account. Why is this?

 

A standard account allows downloading to any unprotected path.

The Windows Essentials installer, IIRC, only copies a collection of binaries without writing anything to registry or protected paths. It doesn't trigger UAC.


A Windows user account with no write access globally, while technically possible, probably won't work very well since none of the applications your mom needs to use would be able to write their own configuration files. If you really need to keep her usage under tight control, try VM snapshots or a more locked-down platform instead of Windows. Either way it requires some configuration and adaption effort from both of you.

 

Maybe I am not understanding.

When the file downloaded attempted to run the Windeows Essential installer I received the Windows UAC prompt.

 

My memory has failed me then.

If an installer or any other software requires admin rights you would get a UAC prompt asking for password of the primary admin account. Is that what you're seeing? If so it's normal. As long as the normal user doesn't know the admin password he/she should not be able to go further.

To disable UAC prompt and deny admin rights all together, set "Local Policies \ Security Options \ User Account Control: Behavior of the elevation prompt for standard users" to "Automatically deny elevation requests" in security policy.

 

I thought having a Standard Account would prevent all this?
Is there any other way?

 

It doesn't. The only difference by default is requesting proof of admins rights via the admin password UAC prompt, which you can disable with the policy change if desired. Even if you do, there is nothing to stop the virus or malware from running through the normal user account, which is enough to do a lot of damage.

Preventing virus and malware downloading entirely while maintaining usability on a normal Windows install is, to my knowledge, not possible with the exception of some very limited use cases. You can use security / anti-virus software with aggressive settings, but that's still a hit and miss.

The most aggressive approach you can possibly get away with might be something like this. It tries to prevent new binaries and scripts from being created on the file system by filtering their extension names. It will block a large portion of attacks (getting around it is still easy when the bad guy is aware of it), but software updates won't work. There might be other hidden issues if the normal operation of the applications needed requires editing those types of files on the fly for some reason.

 

This is really only possible through registry edits or a "pro" version of Windows. Here are a few things you can do to prevent your mom from downloading malicious software

1) First thing's first... talk to your mom and explain to her what viruses are, and how she can avoid them. Don't click on ads, ESPECIALLY anything that says "WINNER" or "Your computer is infected"

2) Use google chrome ONLY, and download AdBlock. This will hide all ads so she can't even be tempted to click on them.

3) Use chrome's settings to block ANY websites which you do not want her to visit.

4) Download a trial version of BitDefender Total Security 2016... It is an amazing anti-virus, and you can extend the trial period by up to 200 days by finding "promotional" BitDefender codes online. BitDefender will block malicious downloads and websites 99% of the time. If you end up liking it, I can personally say that it is definitely worth your money.

 

Hate to bring up a point but if you install Linux the threat is reduced significantly.

 

That's, in some sense, up to JWBlue's mother to decide.

If a person doesn't feel suspicious seeing common social engineering efforts and just click on them, chances are changing to a different shell with a lot of applications showing new UI won't work very well. (Unless the majority of functions needed can be satisfied with a browser, in which case it's easy.)

 

Well create a username that doesn't have admin rights. If the file was downloaded it has to be installed to infect her. If the attack was from a website where malicious code was running you need realtime virus protection and real time malware protection. The difference between real time and non real time protection is real time will stop the attack before it happens. It recognizes it and blocks it. Non real time you run a scan after the attack has affected your machine and it quarantines it or deletes it.

Real time protection costs more but is keeps you safer.

 

I would use uBlock Origin in Chrome. Best adblock filter I've found.