How to Set Up a Standard User Account on Windows 10/11

Step 1: Why Use a Standard Account?

By default, many Windows PCs have users operating with administrator privileges -- meaning they can install software, change system settings, and modify DNS configuration. For content filtering to be effective, users (especially children or students) should operate under standard accounts that cannot make these changes.

A standard account can still browse the web, use installed applications, play games, and do everyday tasks. The difference is that a standard account cannot make changes that affect the entire system. This is the principle of least privilege -- users should only have the permissions they need for their daily activities, nothing more.

This matters for DNS filtering because one of the easiest ways to bypass a DNS filter is to change the DNS settings on the device. If a user has administrator access, they can open the network settings and point DNS to a different resolver (like Google's 8.8.8.8 or Cloudflare's 1.1.1.1) in seconds, completely bypassing your filtering. A standard user cannot make this change.

Beyond DNS Protection

Standard accounts also prevent users from installing VPN applications, which are one of the most common methods for bypassing content filters. Without administrator access, users cannot install new software, add browser extensions in some managed configurations, or disable security software. This makes standard accounts a critical component of any content filtering strategy.

Step 2: Creating a Standard User on Windows 10/11

The process for creating a standard user account is straightforward on both Windows 10 and Windows 11. Follow these steps from your administrator account:

Step-by-Step Instructions

1. Open Settings by pressing Windows key + I.
2. Go to Accounts, then Family & other users (Windows 10) or Other users (Windows 11).
3. Click "Add someone else to this PC" or "Add account".
4. Select "I don't have this person's sign-in information".
5. Select "Add a user without a Microsoft account".
6. Enter a username and password for the new account.

The new account is created as a Standard user by default. You can verify this by clicking on the new account under "Other users" and selecting "Change account type" -- it should show "Standard User" not "Administrator."

Important: You can create the account with or without a Microsoft account. For children or restricted environments, a local account (without Microsoft account) gives you more control. Microsoft accounts can sync settings and install apps from the Microsoft Store, which may or may not be desirable depending on your use case.

After creating the account, log into it and test that it works correctly. Verify that the user can browse the web, open applications, and perform their normal tasks. Then verify that they cannot open network settings and change DNS, install new software, or access administrator-only settings. This confirms the account is properly restricted.

Step 3: Setting Up the Admin Account

Keep one administrator account for yourself (the parent or IT admin) with a strong password. This account should be used only when you need to install software, change settings, or perform maintenance. For daily use by children, students, or general users, always use the standard account.

This separation is the foundation of effective device-level security. When the administrator account is properly secured, the only way to make system-level changes is to know the admin password.

Admin Account Best Practices

• Use a strong password: Choose a password that is at least 12 characters long with a mix of letters, numbers, and special characters. Do not use birthdays, pet names, or other easily guessable information.
• Do not share the admin password: If children or students need software installed, do it for them from the admin account rather than giving them the password.
• Log out of the admin account after use: Do not leave the admin account logged in when the computer is accessible to others. Always log out or switch to the standard user account when you are done making changes.
• Enable account lockout: Configure Windows to lock the account after a certain number of failed password attempts. This prevents brute-force guessing of the admin password.
• Review UAC settings: Ensure that User Account Control (UAC) is enabled and set to a reasonable level. UAC prompts for admin credentials when standard users try to make system changes.

For organizations managing multiple computers, consider using Group Policy or Microsoft Intune to enforce standard user accounts across all devices. This is more scalable than configuring each computer individually and ensures consistent security policies.

Step 4: What Standard Users Can't Do

Understanding exactly what standard users are restricted from doing helps you assess whether this approach meets your security needs. Here is what a standard user account cannot do on Windows:

• Install or uninstall applications: Standard users cannot install .exe or .msi programs, which prevents them from installing VPN clients, alternative browsers (like Tor), or other software that could bypass filtering.
• Change network or DNS settings: The network adapter properties that control DNS server addresses are locked to administrators. This is the most important restriction for DNS filtering.
• Modify Windows Firewall rules: Standard users cannot add, remove, or modify firewall rules. This prevents them from opening ports or creating exceptions that could facilitate filter bypass.
• Access other users' files: Each user account has its own profile directory. Standard users cannot browse or modify files in other users' profiles, including the administrator's files.
• Change system-wide settings: System settings that affect all users -- including time zone, hostname, Windows Update configuration, and security policies -- are restricted to administrators.
• Run programs as administrator: When a program requires elevated privileges, Windows prompts for the administrator password. Without it, the program cannot run with elevated access.

Combined with router-level DNS filtering, standard user accounts create a robust defense against filter bypass on Windows devices. The router ensures that DNS queries go through CleanBrowsing regardless of device-level settings, and the standard account ensures that users cannot change device-level settings even if they try.

For the strongest protection, combine standard user accounts with: disabling DoH in browsers to prevent browser-level DNS bypass, VPN blocking at the network level, and content filtering best practices for a layered defense approach.