Abstract: A method and system for installing software implementations such as applications and COM classes as they are needed from an external source, such as a centralized network store. When a software implementation is needed, the system and method first look to the local system (e.g., registry) for that software implementation, and if found, returns the information such as a local path needed to use the software implementation. If the implementation is not found locally, the present invention dynamically looks to a centralized class store of a network, to locate the needed implementation. When located, the implementation is downloaded and locally installed in a manner that is essentially transparent to the user. Software implementations such as application products may be divided into features and components to improve on-demand installation thereof.

Abstract: A method and system for installing software implementations such as applications and COM classes as they are needed from an external source, such as a centralized network store. When a software implementation is needed, the system and method first look to the local system (e.g., registry) for that software implementation, and if found, returns the information such as a local path needed to use the software implementation. If the implementation is not found locally, the present invention dynamically looks to a centralized class store of a network, to locate the needed implementation. When located, the implementation is downloaded and locally installed in a manner that is essentially transparent to the user. Software implementations such as application products may be divided into features and components to improve on-demand installation thereof.

Abstract: A method and system for installing software implementations such as applications and COM classes as they are needed from an external source, such as a centralized network store. When a software implementation is needed, the system and method first look to the local system (e.g., registry) for that software implementation, and if found, returns the information such as a local path needed to use the software implementation. If the implementation is not found locally, the present invention dynamically looks to a centralized class store of a network, to locate the needed implementation. When located, the implementation is downloaded and locally installed in a manner that is essentially transparent to the user. Software implementations such as application products may be divided into features and components to improve on-demand installation thereof.

Abstract: Restricted execution contexts are provided for untrusted content, such as computer code or other data downloaded from websites, electronic mail messages and any attachments thereto, and scripts or client processes run on a server. A restricted process is set up for the untrusted content, and any actions attempted by the content are subject to the restrictions of the process, which may be based on various criteria. Whenever a process attempt to access a resource, a token associated with that process is compared against security information of that resource to determine if the type of access is allowed. The security information of each resource thus determines the extent to which the restricted process, and thus the untrusted content, has access. In general, the criteria used for setting up restrictions for each untrusted content's process is information indicative of how trusted or untrusted the content is likely to be.

Abstract: Restricted execution contexts are provided for untrusted content, such as computer code or other data downloaded from websites, electronic mail messages and any attachments thereto, and scripts or client processes run on a server. A restricted process is set up for the untrusted content, and any actions attempted by the content are subject to the restrictions of the process, which may be based on various criteria. Whenever a process attempt to access a resource, a token associated with that process is compared against security information of that resource to determine if the type of access is allowed. The security information of each resource thus determines the extent to which the restricted process, and thus the untrusted content, has access. In general, the criteria used for setting up restrictions for each untrusted content's process is information indicative of how trusted or untrusted the content is likely to be.

Abstract: A restrict ed access token is created from an existing token, and provides less access than that token. A restricted token may be created by changing an attribute of one or more security identifiers allowing access in the parent token to a setting that denies access in the restricted token and/or removing one or more privileges from the restricted token relative to the parent token. A restricted access token also may be created by adding restricted security identifiers thereto. Once created, a process associates another process with the restricted token to launch the other process in a restricted context that is a subset of its own rights and privileges. A kernel-mode security mechanism determines whether the restricted process has access to a resource by first comparing user-based security identifiers in the restricted token and the intended type of action against a list of identifiers and actions associated with the resource.