Using RUNAS to launch Explorer as less-privileged user
As you probably know, runas.exe is a great tool for lowering the privileges under which some “unsafe” programs can run. One such example might be Firefox (or God forbid, Internet Explorer) or your favorite e-mail client, or perhaps Explorer itself. Well, explorer.exe is special in this case, because out of the box it doesn’t run with runas. I really never cared to find out why. Tonight was the night :-)
I entered the following magic keywords in Google search box: “Why can’t you run Explorer with runas” and few seconds later clicked on the very first hit Runas with Explorer that explains the topic quite well.
I prefer second suggested solution. Let’s say, that you have a special local user with minimal privileges, called Internet and that you would want to use that account for every (potentially) unsafe operation, including launching Explorer that’ll be used to run other programs and files.
You’ll have to change SeparateProcess flag for Explorer for the Internet user:
1) Log on locally as Internet user and open the registry editor – regedt32
Better yet, use runas:
cmd> runas /user:hostname\Internet regedt32
…where hostname is the name of your workstation.
2) Navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced and change SeparateProcess from 0 to 1.
3) Now, you can create shortcut on your desktop to launch Explorer as Internet user:
Target: runas /user:hostname\Internet explorer.exe