Hey,

I am trying to let others know about a highly effective step to protect Win XP PC's against most or all viruses, worms, Trojan horses and spyware -- make Win XP systems more "bulletproof".

This is not a sales pitch. I am just a Win XP user who discovered a "secret" way to better protect Win XP systems.

This is something Microsoft does not tell users how to do. (I have concluded that using Win XP in this way is a Microsoft company secret, but that is a different matter.)

Here is the "secret" method: on any Win XP installed with the NTFS file system, create a "Limited" account, and use that account to surf the web and access your email (the two activities with the greatest malware exposure). Internet Explorer, MS Outlook (we have only tested the 2000 version), and the current Outlook Express are all fully functional from a "Limited" account. (Internet Explorer works right out of the box under a "Limited" account. Outlook may require some setup steps, such as moving the Outlook files to a directory under Shared Documents.)

With this measure, anti-virus software might be unnecessary. I do not have the resources to test the method exhaustively and determine whether anti-virus software is necessary or not. In any case, bear in mind that the companies selling anti-virus software are likely to be hostile toward publicizing this method. And I believe Microsoft is likely to throw up a smokescreen.

This method works because when running under a "Limited" account on an NTFS install, you have no write privileges in system directories (c:\Windows and c:\Program Files). Malware cannot install itself. (Running under a "Limited" account on a FAT32 install will not protect your PC, as FAT32 lacks the necessary file system level security features. But most Win XP systems are NTFS installs.)

Caveat! Today, there are people who assume one person can have one and only one account under Win XP. To be receptive to this defensive measure, a person must accept that one person can have two or more accounts. If a person is stuck on "one person, one account" thinking, this defensive measure might not make any sense. You need at least one Administrator account in Win XP to install/uninstall software and to apply "critical updates". The meat of this method is to set up one or more "Limited" accounts in addition to the Administrator account(s), and to use a "Limited" account when surfing the web or opening email.

I am just a Win XP user. I do not have the resources to test this exhaustively. Friends and I have discovered a "Virtual Bouncer site test". Virtual Bouncer seems to be among the most notorious malware rampaging today. I concluded this from the "Important Urgent Notice" near the bottom of the "SpyWare Guide" site, here:

Here is the "Virtual Bouncer site" test (but do not try this until you are ready, see below):

Go here,

Click on "CLICK HERE TO TRY VIRTUAL BOUNCER NOW".

In our tests, surfing from a "Limited" account on a machine with the NTFS file system passes the test -- Virtual Bouncer cannot install. We have tested some other malware, and the "Limited"/NTFS combination always passes -- all tested malware was blocked.

You CAN try THIS at home! (Discussion of Testing Methods)

I ran the Virtual Bouncer site test on my parent's PC directly because I was confident that a "Limited" account on an NTFS system is invulnerable. If you are squeamish about subjecting your computer to this test, you can conduct the test without risking your PC. Most anyone can SAFELY see for themselves, even at home.

Here is a picture of the setup at my parent's condo while I was visiting there:

Note that the main drives are unplugged. The test drive is plugged in. Do a fresh Win XP install on the test drive so you can start with a clean baseline. On the new install on the test drive, you must have one Administrator account, and set up one "Limited" account. (I call the "Limited" account that I use for surfing the web and accessing email "Surfer", but you can call yours anything you like.)

Test with confidence! No matter how badly you trash the test drive, when you plug your main drive(s) back in, it will be as if nothing happened. (Only plug in and unplug drives with the power off and the power cord unplugged from the back of the PC.)

With the test setup, you can try anything without risking damage to the hard drives on your PC that you care about.

To demonstrate how bulletproof your PC will be with the "Limited" and NTFS combination, you can try the "Virtual Bouncer site" test without any antivirus software. From a "Limited" account on an NTFS install, you cannot get Virtual Bouncer.

One way to objectively measure the Virtual Bouncer (or other) test "before" and "after" is to do virus and spyware scans before and after. Doing a virus scan on a fresh install is probably not necessary. A spyware scan on a fresh install will pick up some "problems". We have used "SpyBot", available here as a free download:

I installed SpyBot, but I did NOT turn on SpyBot protection for the PC. Go without to test the effectiveness of just the "Limited" account on a NTFS install. (And of course, I did not install anti-virus software on the test drive.)

SpyBot considers some cookies to be spyware. Cookies may be spyware by some definitions, but cookies are not the most malicious spyware. Also, whether you accept cookies is determined by your browser settings, not by whether you are running under a "Limited" account on an NTFS install.

You can wipe all cookies with the click of a single button -- almost.

There are several ways to get to the button. The easiest way to explain is go into IE, click on Tools, Internet Options. A dialog will appear. Half way down toward the left is a button "Delete cookies". The button does what it says.

I ran SpyBot before and after clicking the button. After showed less "spyware" by about 75% or so.

This would be a step to cut down the noise in tests for the more malicious spyware. So before running SpyBot, I recommend deleting all cookies.

An alternative is to adjust the "Advanced" SpyBot settings to ignore cookies. PC World put out instructions here:

After running spyware tests, you can plug your main drive back in, and plug in the test drive instead of your CD drive. This will allow you to run a virus can on the test drive, to determine whether the test drive picked up any viruses.

Big Picture

This method is better than antivirus software in a way -- there is no need to constantly keep defintions up to date. Perhaps it is fair to say that antivirus protection is always playing catch up to the new malware out there. Until your PC gets the updates, your PC is vunlerable to the new malware out there. This method does not have to play catch up.

This method seems so effective, I wonder whether it could make antivirus software obsolete. The Linux world does not need antivirus software. If Microsoft promoted the same safe computing habits promoted in the Linux world, perhaps Windows would not need antivirus software either. But this is not the main point, just an aside.

Why doesn't Microsoft let Win XP users know about this option? I can only guess -- when asked, I would say Microsoft people put up a smokescreen on this topic. Here is my guess: Microsoft does not want to disadvantage marketing efforts to promote Microsoft application software (other than Internet Explorer and Outlook) that do NOT work properly under "Limited" accounts. But please bear in mind, that is just my guess.

By the way, in the Linux world, "Limited" accounts are called "regular user" accounts. I would also guess that Microsoft applied the pejoritive label "Limited" in order to discourage people from using this method.

It seems that Microsoft created the "Limited" account to be a "regular user" account, but then decided to sweep it under the rug before bringing Win XP to market. Consider carefully the last two sentences on the "Limited" account screen under Win XP; I put a picture here:

(Stand alone Win XP installs will have this screen under User Accounts. Win XP installs connected to a Windows server may have different screens. Also, note the name on the account -- I call the "Limited" account that I use for surfing the web and accessing email "Surfer", but you can call yours anything you like.)

The last two sentences imply that products bearing the "Designed for Windows XP" logo should work under a "Limited" account (not always true in my experience), and suggest that legacy applications can be run under an Administrator account.

This method would be simpler if products bearing the "Designed for Windows XP" logo were fully functional under a "Limited" account, and the "Limited" account could be a "regular user" account, as under Linux. However, in my experience, not all products bearing the "Designed for Windows XP" logo are fully functional under a "Limited" account. However, current versions of Internet Explorer and Outlook are fully functional under a "Limited" account. So for the highest risk activities -- surfing the web and opening email -- one can take advantage of the protection this method offers.

Final caveat: I am told that this method will NOT protect against all vulnerabilities. For example, a system without all "critical updates" and not protected by a firewall would be vulnerable to Operating System invasions through the Internet connection. So this method will not, by itself, make Win XP systems 100% "bulletproof". Nonetheless, this method seems to fully protect Win XP systems from the vast majority of common viruses, worms, Trojan horses and (non-cookie) spyware.

I hope this is helpful.

Rick Graves

gravesricharde@yahoo.com