If a toned down UAC is what it takes to make people accept to upgrade and to run with some sort of UAC, this will defintely benefit security on average as you will agree that Windows 7 with a limited UAC is still much better than either XP or Vista with
UAC turned off.
Unfortunately, these are quite common as far as I can see... I know my customer base does not qualify as a valid statistic, but what I could see is worrying. When asked, the customers usually justify their choices (and the fact that they are using administrative
accounts in the first place) with some legacy or homegrown software they cannot afford to update. Others simply say that the UAC is too annoying, either because they didn't try it long enough, or because they heard enough hearsay to this effect.
In brief, you cannot shove security (or any other brilliant design) down the throat of your customers if this impacts significantly their perceived usability. They will simply react by not buying your software or requiring a way to keep working like they
were used to. This is a hard lesson to learn, and it's sad that a large number of developers still don't get it.
this will defintely benefit security on average as you will agree that Windows 7 with a limited UAC is still much better than either XP or Vista with UAC turned off.
I disagree. With Vista a lot of people did turn off UAC, but I would bet the majority -- whether annoyed by it or not -- did not turn it off or know they could turn it off. Would your average person even know what to search the web for?
Windows 7 might as well default to having no UAC prompts, given how easy they are to bypass. So, on average, I'd say more people will be running with ineffective/pointless UAC settings than before. (Unless you feel that UAC is pointless in all modes, in
which case the Win7 defaults still don't make sense.)
usually justify their choices ... with some legacy or homegrown software they cannot afford to update.
Those things will still show UAC prompts in Win 7 by default, so people annoyed by that will still be encouraged to turn off UAC (or the just the UAC prompts, if they stumble on to better advice).
Others simply say that the UAC is too annoying, either because they didn't try it long enough, or because they heard enough hearsay to this effect.
I agree there. Most people who disliked UAC on Vista seem to have extrapolated from the number of prompts they saw during the unusual first couple of weeks of setup, instead of realising that they'd not have to see that many prompts after a while.
Still, now the "it's annoying" hearsay will be replaced with "it's still annoying at times and it's now completely pointless so you still might as well turn it off" hearsay.
In brief, you cannot shove security (or any other brilliant design) down the throat of your customers if this impacts significantly their perceived usability.
Indeed, but if UAC had been slightly better designed* and if Microsoft's apps had used it better** then I doubt there would have been as many complaints about Vista.
(* e.g. To show more of a UI than just "Yes or No" in confirmation dialogs so that prompts-about-prompts were not neccessary and so that spoofing was more difficult (assuming the dialogs were built by elevated code based on the args it was being passed,
not built by the app requesting elevation). e.g. To make the Secure Desktop switch not take 10+ seconds at times, and make the switch to it less visually annoying (esp. on large monitor or in dark rooms.))
(** e.g. To cache elevated COM objects through multiple operations instead of showing several prompts (and prompts-about-prompts) for a sequence of changes which, to the user, is all part of the same thing. Part of that problem was pure bad design -- like
showing four prompts to create one folder -- and the other part was, I believe, an attempt to limit the chance that an object or UI could be hijacked. Clearly the second point has been thrown out of the window now that Explorer etc. are *effectively* elevated
all of the time (and yet not protected like a real elevated process/UI). We went from one extreme of security/inconvenience to another extream of insecurity/convenience when the middle ground would've been much better: Cached elevated COM objects through some
kind of "admin mode" that the user either turns on explicitly or enters after the first elevation, and then exits via a timeout or explicit button/window-close/etc.)
This goes back to what you said earlier: When faced with third-party software which triggered a lot of UAC prompts, did people ask for that software to be improved? Nope. They just turned off UAC. Why? I think it's because Microsoft themselves set such a
bad example that people assumed UAC was inherently irritating.