Windows UAC Protected folders

By default, C:\Program Files, C:\Windows are UAC protected. How to make additional folders to be UAC protected?

Deny Full Control will deny all access, including read access, and typically will block administrators as well as non-administrators; e.g., if you Deny Full Control to Users, you'll block out everyone, because Users includes Authenticated Users and deny entries take precedence.

@HarryJohnston: Deny Full Control only applies to the user in question. Actually I suggested blocking non-Admin users. He can select them at his own discretion.

What, you mean give each user you don't want to have access an individual deny entry? That would work, I suppose, on non-domain-joined machines, provided you remembered to update the permissions every time you added a new user. But blacklists aren't good practice except in special cases. Instead, you should grant access only to the specific users you want to have it, which in this case would be the Administrators group.

Also, deny entries won't work at all in this case, because the user wants to be able to gain access via the UAC approval dialog. Since the elevated token contains all the security primitives contained in the non-elevated token, any deny entry that applies to the non-elevated user will also apply to the elevated user.

At least not as you say, "..typically will block administrators..." We would appreciate it if you will offer a workaround in Windows 7 to do this "Only allow Admins" settings.

I tried this in my machine before posting the answer. The Admin will have no problems accessing the file.

let us continue this discussion in chat