Best practice for using Windows XP Pro as a single user at home with DSL

I recently formatted my computer and installed Windows XP Pro.  I'm the only one using it at home.  It defaults to the out-of-the-box Administrator account, which is fine.  However, my question is, should I be using this account?  I already went ahead and installed all my programs using that account, even my Pocket PC.

Then I decide to create just a regular user account, and when I did, it creates another Administrator account, no choice.  So, what's the deal?  Now when I log in, it logs me automatically into the "new" administrator account.  When I do GPEDIT.MSC, it shows 2 Administrator accounts.

I just don't quite get how the My Documents and Settings folder and the policy structure is.  Basically I am just a single user at home that happened to have XP pro when I bought the machine and I don't want to drill and drill down the folders till I get to where everything defaults to My Documents.

And basically, it's also a security issue i.e. hackers, viruses etc....  I've heard so many opinions from co-workers and stuff, but I really don't think they know what they are talking about (and these are IS people!!)  How safe is it to use the out of the box Administrator account as the everyday user account?  Should I even have created a new user that got me the other administrator account?  What are the best practices?

Should all programs be installed using the hidden administrator account or the created administrator account?  Should I do everyday work in an administrator account, and if so, which?  If I created another user and called it "Kenny" as a Power User, isn't that like administrator privilidge?  Then regular User account would be too limited.  I just want to do everything up front so that when I log in, it will just be me and I don't have to go finding profiles of software that were installed in different accounts etc...... for example my pocket pc.

I'm so confused..... please help.
Who is Participating?
Rich RumbleConnect With a Mentor Security SamuraiCommented:
Best practices are best practices. Security isn't a Program, it's a Process. now that's out of the way...
I honestly have no problem with a poweruser account I operate at work. I use RunAs daily- to be sure, but it's pretty simple, hold shift right-click runas ... user/pass/domain etc..
We've offered the best practices as asked. Weather you follow them or not.. is up to you. I really don't know about the 2 administrator accounts thing... they are both named "Administrator?" no difference in spelling...? There is something that I enjoy about my computer at work, it run's linux, with a Vmware installation that is running win2k. Vmware allows you to take a "snapshot" of your system, and then revert if something should go wrong. XP has something similar with "System Restore" however it sucks in comparison. I can take a snapshot with VMware, then install a program- if it wreaks my machine, or slows it down, or I get a virus etc... I can go right back to a nice clean previous version, no worries. This may not be for you, or many out there, but I love it.

This may be more what your looking for:
With M$ it's unfortunate that Anti-virus is a necessity, as well as a Firewall. Keeping up on patches, both for the OS as well as your applications, like the AV and the FW will need updates also. XP's firewall is ok at firewalling. ZoneAlarm's is better a leak protection, meaning it has FW and process conrol- say you are the lucky recipiant of the newest virus, and there is no virus definition yet because it's only been circulating for a few hours- the av compines havent even recived work of it. You'd be helpless with out process control, ZA will ask you "would you like "new-vir.exe" to access the internet?" you would look it up on the internet, and not find anything on it perhaps.... that mean DENY, even when you do find it on the internet, read  more than 1 source on it's usage or purpose, then deny or permit based on your finding. ZA is even better than AV in those respects, the free one will do this, but the pay for versions are more configurable.

Also, to install (most) programs, you must have an admin priv, like being in the admin group, running as admin, or using runas and typing in a username and password in the admin group. Again, the 2 admin's I don't know what to say to that... never seen it.
Hi KC_78,
The two admin issu is strange.. newer encountered that myself, you should be able to create users as you wish!
Wether you should use the administrator account or not is dependent of how much you trust yourself not to delete anything important.. i use only the admin account on my home network, but then again we are two proffesionals that uses it.. (and never does mistakes.. ;-) )

The best approach according to MS is to create a poweruser account for trusted users, and lower levels to your kids and so on.. THe poweruser has all rights but destroying the most important system files.

The structure of MY DOCUMENTS is C:\Documents and Settings\username (you may copy all your folders from the admin account from there to the new user and keep bookmarks, files, shortcuts and most your programsettings.. ps: reboot afterwards..)

Rich RumbleSecurity SamuraiCommented:
Never operate as ADMIN or a user with admin rights- use "runas" to elevate your priveldges when you need to install (highlight an icon- hold shift, and right-click- you'll see runas...) it also has cmd line
I recommend User, power-user is just below admin, but not by much. First, and formost- get AV, mcafee is my choice. Second, turn on XP's firewall, it is decent, and does a pretty good job of keeping your pc from attracting attention- go to and do a before and after firewall comparison

Turn off a few services... you say you don't need to connect to other windows boxes? Then  stop the Server service, then disable it. Do the same with "Remote registry" and "messenger". Run windows update as soon as you can, get patched. (same with the other two) You'll need the Server service if you plan to share a folder on the internet (not recommended- no matter what) or you need to connect to a windows domain, or windows server.

The my doc's question has been taken care of above. Security is a Process, not a Program- as annoying as running RunAs is... it is a best practice- Unix has been doing this from the begining- that's why they own M$ in the security arena. RunAs is the same as Sudo for linux/unix. GRC.COM also has some good tips and porgrams to help keep you safe.
remember, anti-virus, number one rule with M$- make the AV companies money...

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

As a alternative to McAffe i will reccomend Trendmicros products.. (sorry richrumble ;-) ) Dont purchase NORTON.. its only trouble!!!
As for a firewall i recomend, I think its better than the built in XP firewall, and its free and extremely easy to set up.. (it aslo have some features that the built in does not have)
KC_78Author Commented:
Guys, you are great, I would accept the answers, but there are still some issues....... when I'm on my computer, I multitask.  I work (job stuff), I tweak around if I found something out, I install, I do everything.  I am the only person using the computer.  I tried to follow those links that you guys gave me, but especially the microsoft guidlines, they seem like they are targeted for families.  Like no one touches the administrator account, but make one limited for the wife, the kids etc....... But for me, I'm just a single boring Chemical Engineer who is trying to learn some stuff from the internet because people at work are too cheap to pay for training and I get all these expectations from them.  (I'm sorry, I'm just venting)

But when I use user or poweruser, it seems almost impossible to work and at the same time use the internet to find answerse.....with all the restrictions.

Also, maybe I wrote the question too hastily.  However, the issues about viruses and trojans and firewalls did help alot.  I just put in another post and it is similar, but its more to do with the structure of how Windows reacts when you install stuff.  PLease take a read and maybe it'll be clearer as to what I am actually trying to ask........ (I don't explain stuff very well......)  THANKS
KC_78Author Commented:
Opps, I'm sorry the post that I wrote again is in the Windows XP category and it's title is " In which account should I be initially installing software with a clean system?"
KC_78Author Commented:
Thanks Rich for your patience with me.  I apologize if I came across as stubborn.  I finally figured out what was going on.  I'm actually in the middle of reinstalling WIN XP Pro to try and reproduce the results.

I guess is that this situation is made transparent by M$ to the general public.  M$ I think wants its users to use the XP interface and not really the classic interface, because with the classic interface, I think you can actually see more information, that's why I was confused.

What's happening is that when you do a fresh install of Win XP, you're doing it in the Administrator mode, you have to.  Then you do the essentials like drivers.  When you go create a user next, it wants you to have an account that is both in the administrator account and in the user account.  Bear in mind, this is creating a user using the XP interface, not the "control userpasswords2" way.  So, in the XP interface, a box shows up for you to name the account.  And in the XP interface, there are only 2 choices when you create an account, Administrator and Limited.  I think that's where I was confusing you guys because the limited account is grayed out, with a message saying "that at least one account must be in the administrator group".

So, from what I gather, when you turn on your computer with the XP welcome screen, M$ wants the average user to see that little boxy picture thingy with the newly created account and not the original Administrator account.  So right after I created the user "John Doe", I went to control userpasswords2, and sure enough, John Doe belonged in both the Administrators and Users group.  Something M$ came up with automatically if you create an account using the XP interface.  And I think this is probably for reasons, say the new administrator account, called "IS ADMIN" gets full permission to that computer and other people in a company or whatever, at home (the kids) get their own little nice picture and account.

So, FYI to everyone who I confused, there is no 2 administrator accounts.  M$ wants you to have at least 2 users in the "Administrators Account GROUP", so that the ORIGINAL Administrator ACCOUNT can be hidden.

So with that said..... foot in the mouth, or in this case no brain filter...... I will close the case.  I think I will create another account (Power users group) to function since I'm the only one using the computer and to install apps I'll use the account in the Administrator group.

Thanks for all your help.............KC
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.