A growing number of security tools are taking a new approach to fighting malicious software. Rather than blocking each virus, they aim to limit malware's power to cause harm even if it gets in.

We looked at five apps that adopt this preventive strategy. Amust's 1-Defender and DropMyRights, two free programs, restrict the ability of software (and malware) to make major changes to your computer, such as in non-user-controlled parts of the Windows Registry. Though basic, these utilities are very effective--especially DropMyRights, which works with any program.

Stronger protection comes from two apps that wall off Internet programs in a "sandbox." Software running in the sandbox is blocked from making system-level changes and from accessing personal files, like bank documents in your personal finance app. GreenBorder Pro works only with Internet Explorer, though a Firefox version is planned; for $30 (the promotional rate at press time), you get a one-user license plus a one-year subscription that covers product updates. Fortres Grand's $50 Virtual Sandbox works with any program and must greenlight any process that wants to run on your computer; but its frequent alerts can grow irksome, and its setup is somewhat more complicated than GreenBorder Pro's.

For even more protection, consider the free VMWare Player and Browser Appliance. This hefty download supplies a Firefox browser that runs in a fully virtualized environment; it's much like using a separate PC just for the Web. There are some gotchas, but the player is fairly easy to install, and it offers a great deal of safety for systems with the resources to run it.

Limiting Rights

All of these programs exist because Windows needs help handling basic security, particularly with regard to user accounts. You probably employ a Windows administrator account that gives you full rights to change the Registry, install software, and read all files. A good way to make your home PC safer is to operate it under a limited user account (aka a "least-privileged user account," or LUA) instead of an admin account; the limited user rights carry over to any malicious program that tries to infiltrate your system and thus minimizes the damage it can do. Hardly anyone does this, however, because using such an account can lead to serious inconveniences. If you're a limited user, Windows will frequently balk at a seemingly simple task such as changing time zones or installing legitimate software. To perform these kinds of tasks, you must first log out and then log back on as an administrator.

Not surprisingly, the vast majority of us avoid this headache by choosing not to create a separate account, which is more convenient but makes for bad security. Any poisoned Web site or corrupt attachment that sneaks in through a vulnerability in your browser or e-mail program can launch malware with full rights to embed itself into system directories, kill antivirus programs, and generally wreak havoc. In contrast, if the attacker is not empowered to alter your system, it's in effect declawed.

Enter programs such as Amust's 1-Defender. Released in December and updated to version 2.0 in April, it works with Microsoft's Internet Explorer, Outlook, and Windows Messenger. After a brief installation, you'll have the option of creating new desktop and quick-launch icons for starting each program without administrator privileges, even if you otherwise use an admin account. A splash screen and a slightly different icon in the upper left portion of the window indicate that you're running in SafeInternet mode. With the PC in this mode you (and any malware) can't install many types of software and can't make any hazardous Registry changes.

Links opened from other programs or files start IE in safe mode. You can bypass that behavior by shift-clicking the link, or you can start IE in the regular way by clicking the old icons. Most actions--like opening files on your computer or installing a new toolbar--stay the same.

Like 1-Defender, DropMyRights is a small program that opens selected apps under limited user rights. Developed by Michael Howard, a Microsoft senior security program manager, it has been around since 2004; though Howard works for Microsoft, the company doesn't market the app. It works with any program, but before using it you need to make some quick changes. After installing it, you must create a shortcut for each program that you want to use with it (or you must modify the existing one). Howard provides full instructions with screen shots at his Microsoft Security Developer Center page on the MSDN Web site.

If you click a Web link in another program, such as Word, your default browser will start normally, without DropMyRights protection (unless it is running with DropMyRights, too). To get the extra security, copy and paste the link after starting your browser via the specially prepared shortcut.

Microsoft plans to include a "protected mode" in Vista that will run IE 7 without admin privileges, much as 1-Defender and DropMyRights do. Redmond is also trying to take the aggravation out of running day-to-day with a LUA (current Vista betas suggest that it still has some work to do).

Walled-Off Apps

GreenBorder Pro, which works exclusively with IE, goes a step farther than DropMyRights or 1-Defender by creating a protected "sandbox" for the browser to work in. The utility blocks attempts by malware to write to system folders and perform various other administrator-type activities, and it blocks access to all your documents. It also offers a more-protected Privacy Zone mode (for online banking and the like) that blocks all access to your browsing history and other data. When running, it puts a noticeable green border around IE. If a toolbar or anything else within IE tries to open a file, you get a pop-up asking whether you want to allow it. Downloaded executables can't run until you remove GreenBorder's protection; if it's unknown to you or unexpected, you can research the app before deciding whether to permit installation of it.

Your bookmarks carry over to and from the sandbox without a hitch, but toolbars and other browser add-ins don't. You must start IE unprotected to install a toolbar if you want it to be permanent.

GreenBorder installs and runs smoothly, and a Firefox version is in development. But given its yearly subscription fee, the protection may cost more than it's worth.

Virtual Sandbox, from Fortres Grand, sets up a sandbox, too, but it can do this for any program on your computer. The program scans your system when you install it, and will offer to run all browsers in a sandbox by default. E-mail programs run normally, but any double-clicked attachment runs in a sandbox. It gives you complete control over each program, allowing you to set only the ones you want to run in a sandbox.

Because it works with any program and blocks new apps from running without your permission, Virtual Sandbox affords more protection than GreenBorder. But it's also significantly more demanding. You'll get one or more pop-ups asking how you want to handle any new program, whether you're installing new software or a standard Windows program or process that the utility doesn't know about yet. The configuration menus can be hard to decipher, too.

Users who want added protection but don't want to deal with Virtual Sandbox's complexity may be interested in the free VMWare Player and Browser Appliance. This bundle's two-step installation routine is surprisingly easy, and afterward you'll have Firefox running within a fully distinct Ubuntu Linux operating system (the full download is about 300MB). The combination runs within its own window, completely segregated from the Windows OS. If you come across something that can break through Firefox running under Linux, the malware won't be able to get to anything in Windows. And restoring the isolated browser to a clean state is simple.

It's strong protection for Web surfing, but the player consumes a lot of resources when running--about 300MB of memory with four open tabs in Firefox (after a fresh install). Also, you have to set up a new browser, and you can't simply copy a saved bookmarks file into the virtual player environment.

All of these programs allow you to browse and do e-mail without incident, and all effectively improve your security. But by itself, fixing the admin rights vulnerability stops most current malware cold, according to Joe Stewart, senior security researcher at LURHQ, an Internet security firm. So unless you really need the additional level of protection that sandbox and virtualization apps provide, a rights-limiting tool such as the free DropMyRights may be your best bet.

DropMyRights: Good Protection for Free

Though other apps provide more-expansive security, DropMyRights gives you simple yet effective protection against malware by limiting user rights-and it works with any program.