It's possible to use RunAs with restricted application.
vulners.com/securityvulns/securityvulns:doc:10837