LUA and the One Hand Rule
LUA stands for Lowest User Access (rights), and is the concept that in a world full of rampant malware, we should cower in a basement panic room rather than stride masterfully about the house with a vast array of weapons and power tools to hand.
Personally, I'd rather live in a "Home", i.e. a physical location where safety is assured. In the real world, I live in a house with thick walls, barred windows, and clearly-defined doorways that are locked. In the infosphere, I live in a "network client" that takes candy from strangers, so LUA has its charms until we can get the Home Operating System to "grow up".
Put it this way; if you were forced to live in the middle of an open football field, would you carry weapons and power tools with you at all times? Would you be able to fend off those who would use these against you, 24 hours a day? If not, you'd probably want to lock those valuable, dangerous things somewhere safe until you need them - and that's what LUA is about.
But there's a user acceptance problem; no-one wants to be less powerful, so we like the idea of can-do-anything administrator user account rights. Frankly, when it's out own home computer, we feel we should accept nothing less; we should be safe in our own homes.
The One Hand Rule
Folks who work with big electricity for a living know this safety dictum, and that is; at any given moment, you don't have both hands touching sparky metal stuff at the same time. A veteran electrician may instinctively put his left hand in his pocket as he reaches with the right, in deference to this rule.
The Internet is not a network, because it excludes none. If you like to think of it as a network because it is built out of networking technologies, then consider it the mother of all infected networks that can never be cleaned. Also, try not to think of furniture as trees, just because both are made of wood!
So the "One Hand Rule" for computers is; never have one hand in the Internet while the other has a power tool or destructive weapon in it. This is the key to breaking the "Everyone Loves Admin" deadlock; make the administrator account a drab workplace where no fun abounds and only administrative work can be done. After all, Safe Mode lets you do "more stuff", yet you don't see users wanting to run in Safe Mode all the time. A game that would only run in Safe Mode wouldn't sell, yet most games that require admin rights sell just fine.
The Janitor Account
I'd combine a malware-safer Safe Mode with strong admin rights, as the only place where strong admin rights can be applied. Just as we expect weilders of power tools to be clear-sighted, sober, and knowledgeable, so we should expect the Janitor account user to be undistracted by dangerous fluff such as rich media, and up to speed with a no-frills user interface that shows things as they are; no self-defined icons, persistent handlers, custom screen savers, hiding of dangerous files and so on.
The reason is not simply to punish the user for being in the Janitor account - it has to do with safety. Hiding file name extensions, files and paths hides risk-relevant information that a wielder of power tools needs to know. Normally, you don't care where the mains wiring runs within the walls; you'd rather look at the wallpaper. But if you are drilling holes in the walls, then you need full access to that risk-relevant information.
The other safety aspect is that whenever the system "reaches ahead" of the user, dipping into files to show you custom icons or do other persisntent handler stuff, it exposes a potentially-exploitable risk surface to that material - material that you have as yet indicated no intention to handle or assume safe. I might choose to list files that I know are dangerous, in order to delete them; I do not want the system running content within these files before I can do so, as a misguided "service" to me.
For the same reason, the Janitor account wouldn't run custom screen savers or offer any other automated running of arbitrary software. You don't want arbitrary software running with strong administration rights, and while we remain blinkered into thinking of such rights as applying to everything a user does during that login, these things have to go when such rights are in effect.
(C) Chris Quirke, 20 April 2005, all rights reserved