To use MSMQ security features, both the sending and receiving computers must be logged on to a Windows NT Server domain. If you are not logged on to a domain (for example, the computer is a member of a workgroup), you cannot create secured objects. That is, everyone will have full control over queues you create and your computer properties stored in the MSMQ information store (MQIS). In this case, you will only be able to send messages to queues and access objects that grant access to everyone.
By default, all users have Read access to the MQIS database. You cannot change this default behavior. However, you can set specific access rights on each object in MQIS. For example, without the correct permissions, users cannot read from queues.
Users who log on locally (instead of being validated by a domain controller) cannot create or register certificates. Certificates are only useful for authenticating the sender's security identifier (SID) when the user has logged on and been validated by a domain controller. In addition, local users cannot send messages with their SID in the message sender ID property.