http://support.microsoft.com/en-us/kb/950934 describes the manner in which, when a member of the Administrators group uses Explorer to navigate to a folder to which the Administrators group has permission, the user will be prompted to "Click Continue to permanently get access to this folder".
When they do this, Explorer alters the ACL of the folder to grant that specific user Full Control to the folder. The MS link describes exactly the design constraint that requires it to be this way.
However, it ruins the permission set for that folder and makes central management of permissions effectively impossible. For example, if the named user is later removed from the Administrators group, that ACL entry still exists to permit them access to that folder.
I'm not looking to disable UAC (I actually like the distinction between elevated and non-elevated), and I am happy to use alternative tools to navigate and view files in an elevated fashion.
The eventual intent is to run one of the workarounds described in the MS link (either using a separate file navigator that can run elevated, or defining a separate group to control access to the whitelisted folders) but, all the time Explorer continues to clobber the ACLs of the folder, at will, it makes it impossible to identify where these workarounds need to be applied (short of regularly auditing every folder for ACL changes).
I would simply prefer to have the standard "access denied" message, if I attempt to access a restricted folder when running non-elevated in Explorer.
Is there a setting (either one-time on each box, or via GPO) that removes this "permanently get access" prompt, while retaining the other facilities of UAC?
NB: I fully understand why this prompt exists, what it means and why the behaviour is as it is (although I don't necessarily agree with the design decision). However, I should point out that I am not looking to discuss workarounds relating to the working practice of my users, nor the merits/pitfalls of UAC or Administrators group membership.
Best Answer
No, there is not.
The only real solution is using something other than Windows Explorer for file browsing (and to run it elevated, of course).
The problem comes from the fact that
explorer.exeis initially launched with a non-administrator access token (in order to display the GUI), and any new sessions, even those launched as an administrator, inherit this limited access token behavior. There is a workaround to launch that initial Explorer instance with an administrative token, but then anything you launch from the GUI inherits the administrative access token, effectively nullifying UAC.