Restricted Tokens

In Windows 2000, an application can start a child process in a restricted security context so that code executing in the child process has more limited access to resources than the application's user has. For example, when you use Internet-browsing software to display a Web page in an untrusted security zone, code associated with the Web page can execute with fewer privileges on your computer than you have. (This feature is not used by Microsoft Internet Explorer version 5.0 and earlier.) And when you get an email message with an attachment, double-clicking the attachment can invoke an application that similarly runs with limited access to other resources on the computer. (Microsoft Outlook 2000 does not currently use this feature.)

Applications can create restricted security contexts for child processes and impersonation threads by creating a restricted token and assigning it to the child process or impersonating thread. Restricted tokens are created by removing privileges, by applying the deny-only attribute to SIDs, or by adding a list of restricting SIDs to the original access token.

When a restricted process or thread tries to access a securable object, the system performs two access checks: one using the token's enabled and deny-only SIDs, and another using the list of restricting SIDs. Access is granted only if both access checks allow the requested access rights.

For information about how to write applications that use restricted tokens, see the Microsoft Platform Software Development Kit (SDK) link on the Web Resources page at .