Group Policy Security Context

[Dom]

I have a few questions regarding Group Policy deployment of
applications to users (not machines).

1. To deploy an application using Group Policy, it seems that using an
MSI is highly recommended. Could my MSI call into "friend" EXE located
in the same shared folder? Or should everything "fit" within one big
MSI?

2. Under what security context does the MSI get executed? Is it the
security context of the target install user, with local administrative
permissions? Or is it some other security context?

3. Does anything prevent the install user from attaching a debugger to
the executing MSI and changing instructions (in assembly, etc.) to
elevate privileges?

Thank you for your insight / comments!

 

[Chriss3]

1. Depends form vendor to vendor, the best is to make only one MSI for
complete automatically deployment.

2. The particular user, This can be changed by define the "Always install
with elevated privileges" setting within the Windows Installer Section of a
Group Policy, This policy appears both in the Computer Configuration and
User Configuration folders. To make this policy effective, you must enable
the policy in both folders.

3. There is no way to change the instructions when the MSI package are made
to a package from source.