With CIS’ Parental Control enabled, users won’t get any pop-ups. For users who don’t use Parental Control while general surfing, they have the option of customizing the policy for Firefox if they don’t want to see this pop-up. This is much less work than modifying the rights for every safe app. Personally, I am willing to tolerate pop-ups when I intentionally download an executable on the admin account, as it helps protect me again unintentional downloads/overwrites, even by safe apps.
The “Write/Modify Executables” Access Name could have Allowed Applications and Blocked Applications exceptions, just like the other Access Names. When trying to emulate an SRP, we don’t want to allow limited users to download any executables.
I would like to see the “Write/Modify Executables” Access Name implemented such that there is no need for different configurations for the admin and limited users. Limited users already don’t have write access to c:\program files and c:\windows. Should limited-user exceptions be added to Process Access Rights? If so, how?
I tend to download programs as my limited user account as this limits internet access as administrator.
Defence+ would be more flexible if you could have a third list of applications under “process access rights”. This would be a force pop-up group. Anything listed here would be blocked with parental control on but allowed with no pop-up for an “installer or updater” application. Without parental control there would be a pop-up. Defence+ would look no further down the computer security policy if it found something here. Users could then control what was automatically learned. If used with file groups you would not be able to do “remember my answer”.