Creating a standard (non-administrator) user account on Windows is one of the most effective ways to prevent users from bypassing DNS filtering. This guide walks you through setting up restricted accounts on Windows 10 and 11.
Get Started
By default, many Windows PCs have users operating with administrator privileges -- meaning they can install software, change system settings, and modify DNS configuration. For content filtering to be effective, users (especially children or students) should operate under standard accounts that cannot make these changes.
A standard account can still browse the web, use installed applications, play games, and do everyday tasks. The difference is that a standard account cannot make changes that affect the entire system. This is the principle of least privilege -- users should only have the permissions they need for their daily activities, nothing more.
This matters for DNS filtering because one of the easiest ways to bypass a DNS filter is to change the DNS settings on the device. If a user has administrator access, they can open the network settings and point DNS to a different resolver (like Google's 8.8.8.8 or Cloudflare's 1.1.1.1) in seconds, completely bypassing your filtering. A standard user cannot make this change.
Standard accounts also prevent users from installing VPN applications, which are one of the most common methods for bypassing content filters. Without administrator access, users cannot install new software, add browser extensions in some managed configurations, or disable security software. This makes standard accounts a critical component of any content filtering strategy.
The process for creating a standard user account is straightforward on both Windows 10 and Windows 11. Follow these steps from your administrator account:
The new account is created as a Standard user by default. You can verify this by clicking on the new account under "Other users" and selecting "Change account type" -- it should show "Standard User" not "Administrator."
Important: You can create the account with or without a Microsoft account. For children or restricted environments, a local account (without Microsoft account) gives you more control. Microsoft accounts can sync settings and install apps from the Microsoft Store, which may or may not be desirable depending on your use case.
After creating the account, log into it and test that it works correctly. Verify that the user can browse the web, open applications, and perform their normal tasks. Then verify that they cannot open network settings and change DNS, install new software, or access administrator-only settings. This confirms the account is properly restricted.
Keep one administrator account for yourself (the parent or IT admin) with a strong password. This account should be used only when you need to install software, change settings, or perform maintenance. For daily use by children, students, or general users, always use the standard account.
This separation is the foundation of effective device-level security. When the administrator account is properly secured, the only way to make system-level changes is to know the admin password.
For organizations managing multiple computers, consider using Group Policy or Microsoft Intune to enforce standard user accounts across all devices. This is more scalable than configuring each computer individually and ensures consistent security policies.
Understanding exactly what standard users are restricted from doing helps you assess whether this approach meets your security needs. Here is what a standard user account cannot do on Windows:
Combined with router-level DNS filtering, standard user accounts create a robust defense against filter bypass on Windows devices. The router ensures that DNS queries go through CleanBrowsing regardless of device-level settings, and the standard account ensures that users cannot change device-level settings even if they try.
For the strongest protection, combine standard user accounts with: disabling DoH in browsers to prevent browser-level DNS bypass, VPN blocking at the network level, and content filtering best practices for a layered defense approach.