SRP and Run As...

Is it possible to configure XP Pro SP2 such that RunAs privileges are
applied before Software Restriction Policy is evaluated?

Take the example of an executable stored in c:\temp. Software
Restriction Policy prevents execution of anything in c:\temp by ordinary
users, but is not enforced for local administrators.

SRP works as expected for the primary logon - local admins can execute
programs from c:\temp, ordinary users cannot - however RunAs does not
permit running programs from c:\temp as admin while logged in as an
ordinary user. The system issues the "Blocked by SRP" error before it
even checks the admin account credentials provided (you still get an SRP
error if you supply a bad admin password).

It seems to me XP is doing things backward here - I can get around it by
using RunAs to start a command prompt, then executing programs from
there, but it would be much more convenient to use RunAs directly.

Sunny wrote:
Is it possible to configure XP Pro SP2 such that RunAs privileges are
applied before Software Restriction Policy is evaluated?

Take the example of an executable stored in c:\temp. Software
Restriction Policy prevents execution of anything in c:\temp by ordinary
users, but is not enforced for local administrators.

SRP works as expected for the primary logon - local admins can execute
programs from c:\temp, ordinary users cannot - however RunAs does not
permit running programs from c:\temp as admin while logged in as an
ordinary user. The system issues the "Blocked by SRP" error before it
even checks the admin account credentials provided (you still get an SRP
error if you supply a bad admin password).

It seems to me XP is doing things backward here - I can get around it by
using RunAs to start a command prompt, then executing programs from
there, but it would be much more convenient to use RunAs directly.


Anyone?