"njem" wrote in message
...

I'm trying to move workstaions in our office to non-admin logons for
better virus protection. Man, what a pain. The complications seem to
be unending. So now I want to verify that it's even worth it. Who
understands how viruses infect well enough to really know (not just
have heard) that not having an admin logon as the normal user logon
actually makes it harder for viruses?

Forget viruses for this discussion, concentrate on malware and users.

None of my stations are logged on as "Administrator" just
as some user that is an admin.

In XP there is no difference there.

On W7 not being "Administrator" would mean that integrity levels come
into play. Integrity levels are involved in triggering UAC prompts. This
is not enough securitywise, as there is no security boundary implied in
UAC consent prompt in the "protected admin" (Admin Approval Mode)
account. To get that security boundary, the UAC generated credentials
prompt from within a standard account is the way.

And it's a mix of XP and W7 stations and I _think_ that makes a
difference.

No difference, every user should only have the amount of power that they
*need* and no more (Principal of Least Privilege)
I
have a vauge idea that under XP if the user is an admin they, or a
virus, can do pretty much anything with no need to give permission.

Correct, they *have* permission - no need to ask for it. Malware running
in a limited account will have limited power and scope.

So maybe on an XP station it's worse. On a W7 station even if they are
an
admin level user (and UAC is at default level) you'll get an ask
dialog if a virus wants to install something, I think.

If malware tries to do something outside of the standard user's scope
(even the admin level account (AAM) functions as a standard account), A
UAC prompt is invoked. In XP, the admin level account has the
administrators token on his keychain. In W7, the admin level account has
the standard users token on his keychain, and the admin token in his
back pocket for easy access.

An attack against a standard user will be limited in scope (sorry, I
don't have the admin keys), as will an attack against the admin level
user (unless the attacker picks his pocket - which *might* be possible).

But would a virus infection really trigger a "you don't have
permission" message
if on XP a user was not an admin?

It depends on the malware, you could get a "silent failure" in some
cases, messages in others.

Would it trigger a UAC confirmation box in W7?

It depends on what it is trying to do, some malware might not try to do
anything outside of its scope.

Or do they manage to bypass all that?

Not all kinds of malware are trying to sink their teeth deep into the
host system. Viruses in particular don't really need any power that is
not normally granted to standard users (which is why I suggested not
considering viruses in this discussion). Most other malware will have a
desire to "get themselves started" after a reboot (a virus can be
perfectly content to run when it's host program does). Most often, the
methods they use to start themselves (run/runonce keys, BHO's path
hijacking) can be fortified against such misuse by making them require
admin level permissions to use them.

(I know if a scam can trick a user into clicking okay all bets are
off.)

That is but one way to pick a pocket. There *might* be a way through
software as well. It is still best to make use of the security boundary
offered by separate accounts so there is no "token in pocket" to pick.