I had some interesting questions today from customers about the level of customization an IT guy can do regarding which areas of functionality are protected by UAC. I.e. if I don’t want the Firewall protected by UAC can I change a setting in Group Policy? The answer is unfortunately no, you can’t customize the individual bits of functionality protected by UAC.
I guess the reason for this is that we’ve done some pretty extensive user testing, beta feedback analysis and security threat modeling and found the right amount of features that require protection and those that don’t. I guess what I’m saying is “trust us – we’ve done it right”, which judging from customer and user feedback was the right thing to do – it works well and we’ve struck a good balance that allows the user to carry out their day to day tasks free from UAC interruption whilst maintaining security on important areas like firewall et al.
There are however some settings in Group Policy that enable to tweak your UAC experience:
1) User Account Control: Behavior of the elevation prompt for administrators
2) User Account Control: Behavior of the elevation prompt for standard users
3) User Account Control: Elevate on application installs
4) User Account Control: Run all users, including administrators, as standard users
5) User Account Control: Validate signatures of executables that require elevation
6) User Account Control: Virtualize file and registry write failures to per-user locations
These are described in great detail on the UAC Team blog over here, so I won’t try and paraphrase I’ll just recommend you take a look.
Other things I would read are the TechNet resources on UAC: Understanding and Configuring User Account Control in Windows Vista