Security and ease of use don't go hand in hand. If your network's security is too tight, your network is more difficult to use and manage. If your network's security is too loose, your network is vulnerable to attacks.

A common situation in which you need to find balance between security and usability concerns whether you should give local administrative privileges to users who use the same computer every day. If you give users local administrative rights, any viruses, worms, spyware, or other malware that finds its way into their computers can access the network and do a lot of damage. However, if you deny users these rights, they need to contact an administrator whenever they need to install a new application, making the installation inconvenient for users and more work for the IT staff. In addition, some users might need local administrative privileges to perform their jobs. For example, programmers often need local administrative privileges so that they can test the programs they're building and read various registry keys, files, and performance counters.

In my company's network, I noticed that users don't get malware from the applications they intentionally install. Instead, they unintentionally pick up malware while browsing the Internet or opening mail. So, I recently started using a new approach with Windows XP and Windows 2000 Professional computers. I have users log on to their machines with their regular user accounts. When they need to install a program, I've trained them to use the RunAs tool to log on under a local administrative account I created for them. Similarly, programmers use the local administrative accounts when they need to test programs or access the registry, files, or performance counters. With this approach, whenever users need to perform a special task, such as installing applications or performing tests, they can do it themselves. If any malware happens to find its way into their computers, it can't spread. The only way malware can spread is if users intentionally install a malware program on other machines, which is highly unlikely in my environment. The risk of having malware is even reduced on users' local machines because the users aren't targets. (Gaining access to an administrative account is a lot more lucrative than gaining access to a regular user account.)

I lock down the local administrative accounts even further to prevent misuse. I give a different username and password to every account to prevent users from using the same account on all computers. I also use Local Security Policy settings to deny network access and deny the ability to log on as a service or batch job.