I'm sure what I want to do is impossible - but I'm trying it anyway. :)
I am trying to sandbox a user account - and the 'least privilege' principal tells me that the user account should only have access to what he absolutely needs. That's a best practice/common sense approach. The problem is TrustedInstaller.
I want to set an explicit DENY on all the files except what the sandboxed user requires. Even as a domain admin, of course, I can't do that without taking ownership of most of the files in %systemroot% (since admins have only Read/Execute and only TrustedInstaller has FULL). This 'solution' doesn't make sense to me. I can take ownership of everything, set the perms I want, and then expect things to break in the future. That's a bad approach.
I don't want to change ownership of important system files simply to circumvent the (in my opinion) goofy concept of TrustedInstaller. I assume these files have these permissions for a reason. But the sandboxed user doesn't REQUIRE access to anything other than his sandbox - and that's what I want to implement.
Ideally I could simply run 'icacls /deny' as TrustedInstaller. That would leave the ownership and existing ACLs in place and add the explicit deny for Mr. Sandbox. But I can't find an easy (or difficult) way to run in that context.
Feedback appreciated.