1 of 1 people found this helpful
It is possible that one of the McAfee guys may be able to explain this better. But, the way I understand MLC to work it monitors the domain login/logout events and from this builds a table of who is logged in on any (windows) machine on the network.
You can see this by looking at the "Logon Report" screen within the MLC web interface or by clicking on the "Manage Passports" button in the Policy -> Rule Elements -> Passport screen in the Firewall Admin Console.
As I understand it, this passport table tells the Firewall who is logged in and the IP address of the machine they are using based on the action of logging into the domain. When you create a rule based on a username it isn't necessarily applying against the username, but against the IP address recorded in the list of active passports.
So, while you may be able to use the "runas" option within Windows to allow a specific application to run as if you were logged in as "user2" the PC/Laptop itself is still logged into the domain as "user1" - and this is the user account which MLC will see and report back to the Firewall. I'm not sure that it will pick up on a single application running as a different user.