I agree, in principle, with the "RUNAS" answer.
It seems to me that what you want is for sub-process instances to be auto-restricted if they are running as admin.
There are a couple of approaches. However, they are/can be drastic and are not for the timid admin because the overhead is annoying. They will do the job, though.
Only showing Approach one unless more are requested:
For each application you want to restrict:
right click the executable and go to **PROPERTIES**
go to the **SECURITY** tab
click **ADVANCED** at the bottom
click **ADD** at the bottom
type **ADMINISTRATORS** for the name. if you have a domain then adjust appropriately
press **OK** to get the custom settings for the administrator's group
check the **DENY** checkbox next to "TRAVERSE FOLDER/ EXECUTE FILE" permission (2nd on the list)
hit OK and so-on until you've closed the properties entry for that file.
Now, members of the administrators group cannot execute that file. They can go back in and change the permissions to un-check that so they can run it, but they have to knowingly do that.
Also, since you're worried about this occurring during an installer, you would want to do the same procedure for the SYSTEM "user", which also (effectively) runs as admin as well, because this account can be used during some installations (a Windows "ADMIN" account credentials can be used to gain a SYSTEM credentials token... but this is way beyond what this question is targeting).
Here are some picture of doing this on windows 7:
Best Answer
UAC can be a rather complex concept to wrap your head around. Generally speaking, a child process inherits its access token from the parent process. However, this only occurs if both processes have the same
integrity level
:Integrity levels depend on a variety of things, but generally speaking, a web browser is a
low integrity
application, and will likely require an additional UAC prompt if it tries to do any operation requiring a higher level of privilege:If you wish to learn more about UAC, the following articles are a good resource: