Okay here's where I am at: I really like the convenience of running as an admin user, but I'm trying to make sure I have my system reasonably locked down. Preferences are fine because the finder-sudo prompts for a password before I can modify. Check. The /usr and /etc trees are fine because they are all root owned, with no group or other write permissions. Check. /Applications scares me. It's all group admin and has group write permissions on it. So here's what I'm wondering. I want to take the group write permissions off all the files in /Applications to lock it from "accidental" overwriting (read virus). To be succint this is what I would like to do: cd /Applications sudo chown -R root:admin * sudo chmod -R go-w * To make it look like the other system file trees. I know theoretically all application configurations and preferences are in ~/Library so I should be all right. Has anybody tried this? Will I run into problems denying myself write access to these files? I assume not, since non-admin users don't have write access but it's kind of irreversible so I would like confirmation. A quick google hasn't turned up anything.