Consequences of removing Execute permisssions on %userprofile% path?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

I've noticed that Google takes advantage that permissions on the
%userprofile% include Execute is enabled. That is, users can save
executables under their profile folders and execute them from there.
Google "installs" (copies) their files for Google Chrome and Google
Earth into the user's profile folders knowing that the Execute
permission is enabled there. That way, they can get users to install
their software without concern regarding the limited privileges for a
standard Windows account.

Should users be executing programs from their %userprofile% path? Seems
the files there are supposed to be data files (documents, config files,
favorites/bookmarks, history info, log files, and so on). A normal
install would run into a privileges lockout for a limited user account
(LUA) to prevent the standard user from installing programs and
affecting - and afflicting - the desired software configuration of the
host. Of course, a program could copy its files elsewhere, like
C:\gotthaveprogram, but it seems they really shouldn't be under
%userprofile% and should, by default, be under %programfiles%.

One of the reasons that I ask this is after looking at some sandboxing
programs. Some require the user to overtly migrate files out of the
sandbox even if they were saved into a virtual (redirected)
%userprofile% folder; i.e., they don't get out unless the user takes
deliberate action to bring them out. Yet some allow files to get saved
into the real %userprofile% path (i.e., not sandboxed, redirected, or
otherwise protected). I suspect they believe that just data files are
going there but that's not true because of the Execute permissions is
enabled there so programs can run from there. However, just as a
general rule, it seems that program files should not be able to run from
the %userprofile% path regardless of sandboxing or not.

Removing the Execute permission from each user profile under
"C:\Documents and Settings" (for Windows XP) and replacing the
permissions down on the child objects would eliminate Google and others
from trying to use the %userprofile% as a means of corrupting the
purpose of this profile path. Alas, I'd have to remember to remove the
Execute permission from each user profile, like when a new account is
created, since you don't want to propagate the permissions from
"C:\Documents and Settings" itself onto the subfolders used for the
profile paths.
.

Relevant Pages

  • Re: Disabling Execute access in Documents and Settings?
    ... I like the idea about disabling execute for files only in a user profile and may be ... default profile permissions assigned to a user when their profile is created, ... > cross-site scripting vulnerability. ...
    (microsoft.public.win2000.security)
  • Re: [Updates] Re: More Before-The-Fact-Isms II
    ... > I've run into a problem and a solution with locking down the Execute ... save changes to the profile, then so can a virus running as user. ... thing necessary is permissions on the ntuser*.* files in the root of the ... Task Scheduler to create a scheduled task / icon, ...
    (microsoft.public.security)
  • [Updates] Re: More Before-The-Fact-Isms II
    ... I've run into a problem and a solution with locking down the Execute ... If the %userprofile% ACL is not the default ... the Execute permissions or launching logoff.bat. ...
    (microsoft.public.security)
  • .profile execute failure
    ... A very simple and probably common issue but can anyone tell me why I ... can't execute a .profile. ... Permissions are correct for the user but ...
    (comp.unix.questions)
  • Solaris 10 autofs directory permissions - Solution
    ... the fact that my map file has 755 permissions not 644. ... If the execute permission is set, it becomes an executable map which is ... map is expected to return the content of an automounter map ...
    (SunManagers)