Among the many, many changes made to Windows Vista, the one that's drawn the most attention is User Account Control, or UAC for short. In this article I'm going to talk about UAC as it'll affect someone who's come in from XP, and may be surprised to find that things they did before without consequence are now being interrupted.
1. UAC Explained
The idea behind UAC is simple:
The main goal of User Account Control is to reduce the exposure and attack surface of the operating system by requiring that all users run in standard user mode. This limitation minimizes the ability for users to make changes that could destabilize their computers or inadvertently expose the network to viruses through undetected malware that has infected their computer.
-- User Account Control Overview
Too much of the time, people would allow their systems to be hijacked by third-party programs, and UAC is intended to keep that from happening. Most of the early word on UAC was mixed: it was a good idea, but the end result was the user being constantly interrupted to do what seemed like terribly trivial tasks. Thankfully, the number of interruptions and false alarms has been brought way down in RC1 (and in RC2 as well). The idea is to strike a balance between being protective and being laissez-faire, so that the user doesn't get burned out too quickly on UAC warnings, and just move to automatically dismiss them (and thereby invalidate their usefulness).
UAC is only one of a number of other security changes, but it's one of the most visible and immediate. (For one, the built-in administrator account has been disabled by default. If you need it, it can be enabled manually and used "on-demand".)
Summary: A good idea in theory, but potentially intrusive in practice -- be ready for when it jumps out at you.
2. UAC In Action
When you browse the Vista interface, you'll probably see a number of buttons that are marked with a special icon.
This is a sign that clicking the icon in question will bring up the UAC window.
This obviously isn't the exact same prompt you would get from clicking the above button, since it's not possible to get a screenshot of the UAC window without running Vista in a virtual machine (and I'm currently running it on a whole machine to itself).
If you're not running as an administrator, you'll get a prompt like the above (so you can supply an admin password); if you are running as admin, you'll simply see an OK / Cancel dialog. The Cancel button is the default option, so you have to select or click OK manually.
Summary: Look for the UAC icons to tip you off.
3. UAC On New Application Installs and Downloads
Most of the time an action that requires UAC approval will be explicitly marked, but sometimes you'll get it when you try to launch a program, such as an application installer.
I most often bumped into UAC when trying to install an application I downloaded from the Internet. Downloaded executables are usually branded with the UAC "shield" icon.
If you download a file like this through IE, it generally will not work unless you explicitly "unlock" it. This has actually been present in Windows since XP SP2, but you might not have run across it directly.
[Note: Blocking attachments is configurable through a Group Policy Setting. Open GPEDIT.MSC and go to User Configuration | Administrative Templates | Windows Components | Attachment Manager and enable "Do not preserve zone information in file attachments."]
If you need to unblock the file, right-click on the file and select Properties | Unblock.
Once you do this, the program can be run normally. But even after you do this, if Vista detects that the program's trying to install something or make system changes, you'll get a warning.
Summary: Downloads through IE may no longer automatically be allowed. Bear this in mind when snagging new versions of all your favorite shareware for your new Vista installation.
4. Disabling UAC
If you're absolutely sure you know what you're doing with your computer, and you want to turn off UAC globally, you can do this without too much trouble. You'll need to be logged in as an administrator, and have access to the User Accounts icon in the Control Panel.
Click on "Turn User Account Control on or off" (you'll get a UAC prompt).
Uncheck the box and click OK. You'll be prompted to reboot. Once you come back up, UAC will be disabled, and you can re-enable it at any time by following these steps again.
Do I recommend doing this? Again, unless you're very certain you know what's going in and out of your computer, don't do it. Especially don't do this if you're sharing a PC with more than one person who may not be an expert, even if they have a limited-user account.
I'm still finding my way around Vista, and I'm keeping UAC turned on for the time being just to get the feel of it. As far as I can tell there's no difference in system performance with UAC off, so don't consider shutting it off as a way to speed things up (except in the sense of it being one less thing to click on).
Summary: Turn UAC off at your own risk.
That's all for this time. Next I'll talk about the File Versions feature, as an adjunct to the Backup and Restore functions I discussed earlier. See you soon!
Leave a comment