I need to give a non-admin account most admin permissions except for modifying system files. I'd like that admin account to retain all normal admin permissions but not be able to modify the hosts file. I've written a guide on how to do this in Ubuntu, and I'd like to do something similar in Windows 10.
The best solution I've found is to make something like this script start when the user logs in. Source
#Specify the file name
$fileName = "C:\Windows\System32\Drivers\etc\hosts"
#Open the file in read only mode, without sharing (I.e., locked as requested)
$file = [System.io.File]::Open($fileName, 'Open', 'Read', 'Read')
I understand that it won't be bullet proof, but I would like something that makes it sufficiently inconvenient to modify this file.