Microsoft, Windows, XP - Runas without loading elevated user settings

If it is a site that you need and trust why not just add the site to the list of trusted sites - that will allow users to run the controls without the need for elevated privilages. See http://www.jsifaq.com/SF/Tips/Tip.aspx?id=6644

Or create an installation package of the activex and deploy it to the users that need it via GPO software installation.

Ok ..

KCTS:
If it is a site that you need and trust why not just add the site to the list of trusted sites - that will allow users to run the controls without the need for elevated privilages.
 - Our global group policy would over ride it

CoccoBill:
Or create an installation package of the activex and deploy it to the users that need it via GPO software installation.
 - Dont have admin access to the website, its managed by a team in Germany.

Thanks very much for both your comments.

I accept that the correct approach is to fix the ActiveX credentials so to speak, and eventually this will happen.

But my question is about runas .. The example I have explained only serves to highlight the possible limitations of runas.

I am hoping for a definitive answer to the runas question, effectively : can runas be used to authenticate a process, but not use/load anything else from the account ?

If you put the users into an OU you can apply the group policy to add the trusted site to that OU and it would take presidence.

KCTS: - As I said originally, unfortunately, here in the UK, we have no access to group policy. Its a global company.

A group policy is the only sensible option, certainly preferble to using runas - I suggest you discuss the matter with your IT department.

KCTS: - I dont believe that using GP to set MSIE to accept unasigned activeX content for end users is the right way to go.

Can anyone tell me : Can RUNAS be used only to authenticate an executable, but not use/load anything else (take on the identity)  of/from that account ?

I'm not suggesting that you grant all users the ability to run unasigned activeX content from all sites - just for the particular site by adding the site as a "trusted site" - see my previous comments.

Can RUNAS be used only to authenticate an executable, but not use/load anything else (take on the identity)  of/from that account ?

You can try using the following....

runas /noprofile /env /user:UID iexplore

RUNAS USAGE:

RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
        /user:<UserName> program

   /noprofile        specifies that the user's profile should not be loaded.
                     This causes the application to load more quickly, but
                     can cause some applications to malfunction.
   /env              to use current environment instead of user's.

Can runas be used to execute an app that then retains access to parent user settings=No - But worth remembering the "all users" commonality

Solution I used the problem was to obtain the activex content from TIF and have the helpdesk use regsvr32 to push it out to a limited number of users. So, why not GP in this instance ? , (i) The website will be changed so that the activex content will work for our global image, much better to increase standards, than to decrease security to accomodate poor systems.  (ii) A request to create a GP to relax MSIE settings, even for an internal server would be rejected, if you think about the security implications, this makes sense. (iii) As the situation is temp, the created GP would be removed shortly anyway.

Thanks to everyone for your comments.