Need help tweaking WinXP "Limited" account

[Evenkeel]

I've been using XP since it came out, but I have to set up a system doing something I've never had to do before: create separate user accounts, and make all but one limited.

Here's the deal: my kid always gets my old systems when I upgrade. Up till recently, it's always been Win9x OS's. But now I'm handing down my 2 year old Dell, and it has XP Pro on it. I've already set up a "Limited Account" for her, and retained my Administrator account, but I'm having problems understanding how to tweak it further. I have been looking in "Group Policy Editor", and played w/a few settings, but am still foggy on what I need to do. It kind of seems like it's an "all or nothing" deal.

Here's some of what I want to do for the "Limited" account:

1) Make the critical tabs (Security, Privacy, Advanced) in Internet Explorer Options disappear. I can do this, but it makes them disappear in my Administrator account as well.

2) Make Control Panel disappear. Again, same deal as #1.

3) Make other things disappear, such as the ability to view hidden and system files, etc. I know how to do this in Folder Options, but you can still click on the link in the folder window to make them appear. I want to make sure they cannot appear at all in the Limited account.

4) Deny access to certain programs under the Limited account. Do I have to go to each folder one at a time, and password-protect them?

I realize #1-3 probably get resolved similarly, but I can't see how to do it for just one account, while leaving another alone. I know these questions are pretty basic for you guys, but basically I just need to be pointed in the right direction, then I can hopefully figure out the rest myself.

Thanks.

 

[keeleysam]

Bump. I'm wondering too.

 

[imported_Kensai]

Me three! I know how to solve those problems, but I can never set them up.

 

[Evenkeel]

Okay, I know there's some XP gurus here Can this be done at all? Or is XP going to give me the pipe yet again?

 

[screw3d]

nvm i'm blind

 

[mechBgon]

I have been looking in "Group Policy Editor", and played w/a few settings, but am still foggy on what I need to do. It kind of seems like it's an "all or nothing" deal.

First of all, that might be going above & beyond the call of duty, but GPEditor is fun to play with, so what the heck

Here's some of what I want to do for the "Limited" account:

1) Make the critical tabs (Security, Privacy, Advanced) in Internet Explorer Options disappear. I can do this, but it makes them disappear in my Administrator account as well.

What is the problem with them disappearing from your Admin account as well? But whatever.

1) Import/customize the settings in User Config > Windows Settings > Internet Explorer Maintenance > Security, including importing the Privacy stuff, I use Medium-High (hint: it will also adopt the whole list of SpywareBlaster anti-cookie/anti-bad-site stuff if you've installed SpywareBlaster). I set the Internet - Local - Trusted - Restricted security levels to Medium - Medium - Medium - High, myself.

2) Go to User Configuration (not Computer Configuration) > Administrative Templates > Internet Explorer > Internet Control Panel. Disappear the tabs you don't want her to access. This won't apply to Admins.

2) Make Control Panel disappear. Again, same deal as #1.

Right. Not that she could do much harm as a Limited user. But hey. User Configuration > Administrative Templates > Control Panel > Prohibit access to the Control Panel.

3) Make other things disappear, such as the ability to view hidden and system files, etc. I know how to do this in Folder Options, but you can still click on the link in the folder window to make them appear. I want to make sure they cannot appear at all in the Limited account.

User Configuration > Windows Components > Windows Explorer > Turn On Classic Shell.

4) Deny access to certain programs under the Limited account. Do I have to go to each folder one at a time, and password-protect them?

Password-protect them? Just disable Simple File Sharing in the Folder Options, and then on the Security settings for that folder, add her user account and uncheck all the boxes.

 

[Evenkeel]

Originally posted by: mechBgon

I have been looking in "Group Policy Editor", and played w/a few settings, but am still foggy on what I need to do. It kind of seems like it's an "all or nothing" deal.

First of all, that might be going above & beyond the call of duty, but GPEditor is fun to play with, so what the heck

Here's some of what I want to do for the "Limited" account:

1) Make the critical tabs (Security, Privacy, Advanced) in Internet Explorer Options disappear. I can do this, but it makes them disappear in my Administrator account as well.

What is the problem with them disappearing from your Admin account as well? But whatever.

1) Import/customize the settings in User Config > Windows Settings > Internet Explorer Maintenance > Security, including importing the Privacy stuff, I use Medium-High (hint: it will also adopt the whole list of SpywareBlaster anti-cookie/anti-bad-site stuff if you've installed SpywareBlaster). I set the Internet - Local - Trusted - Restricted security levels to Medium - Medium - Medium - High, myself.

2) Go to User Configuration (not Computer Configuration) > Administrative Templates > Internet Explorer > Internet Control Panel. Disappear the tabs you don't want her to access. This won't apply to Admins.

2) Make Control Panel disappear. Again, same deal as #1.

Right. Not that she could do much harm as a Limited user. But hey. User Configuration > Administrative Templates > Control Panel > Prohibit access to the Control Panel.

3) Make other things disappear, such as the ability to view hidden and system files, etc. I know how to do this in Folder Options, but you can still click on the link in the folder window to make them appear. I want to make sure they cannot appear at all in the Limited account.

User Configuration > Windows Components > Windows Explorer > Turn On Classic Shell.

4) Deny access to certain programs under the Limited account. Do I have to go to each folder one at a time, and password-protect them?

Password-protect them? Just disable Simple File Sharing in the Folder Options, and then on the Security settings for that folder, add her user account and uncheck all the boxes.

Oddly enough, disappearing the IE tabs using User Configuration does disappear the tabs on both my Administrator account, and her Limited one. I also tried setting her account to Administrator temporarily, going back into to Group Policy | User Config, thinking that maybe it would only apply to just her account, but no, when I went back to my main Administartor account, the IE tabs had disappeared from there also. At this point I'm flummoxed about how to do this.

As far as what's the big deal about having the tabs disappear in my Admin account as well, it's mainly because I'm certain to hear whining almost immediately about "why can't I download this?" or "I can't access that website", so I'm sure I'm going to be going in on a fairly regular basis and having to do those things for her. It's not a huge effort to re-appear the tabs, but it's jsut one more step I'll have to go thru to get the job done. Plus, she may be breathing down my neck while I'm doing it, and I don't want her to see how it's done.

As far as your other suggestions, I'll give them a try. And if you have any further suggestions for me on how to actually change User Configs, and isolate the accounts while doing so, I would very much appreciate it. Thanks.

 

[mechBgon]

1) unless you explicitly make the system use only one set of rules for all users up in Computer Configuration > Administrative Templates > Windows Components > Internet Explorer (Security Zones: use only machine settings), it will maintain separate sets of rules for each user account anyway, so you would have to make her an Admin, reappear the tabs, adjust the settings under her account, then de-Admin her and disappear the tabs again.

2) Big picture: it shouldn't matter, unless you are doing something exceptionally drastic with the settings. If her browser won't go somewhere or do something using the settings I suggested, it's probably not something it ought to be doing. I use those settings on the systems at work and I'd hear about it if the browsers didn't work for normal legit usage. The browser that routinely gives trouble is FireFox, which the higher-ups demanded that we install it and pimp it in place of IE, but that's another story :evil:

3) log on as the machine's native Administrator account and you should have your full set of IE tabs If you want the machine's native Administrator account to appear all the time at the Welcome screen, you can do that with the AddAdministrator registry goodie here. Otherwise hit CTRL ALT DEL twice at the Welcome screen and use Administrator as the username.

If you're looking to have one set of master controls for the browser, then do enable machine-only settings like I mentioned in #1 here.

 

[mechBgon]

BTW I wasn't sure what you meant by this:

As far as your other suggestions, I'll give them a try. And if you have any further suggestions for me on how to actually change User Configs, and isolate the accounts while doing so, I would very much appreciate it.

Windows keeps a lot of stuff separately for each user, as you surely know. What I can predict you'll have issues with is cheap crummy games that won't run under a Limited account without the user at least temporarily being an Admin for the first run. And/or they may need the User class of accounts given Full Control or at least Modify permissions to the game's directory within C:\Program Files.

Heck, I installed FarCry and ran it under my Limited account and WTH, the enemies are teh invisable! :Q So are my arms and my weapon! LOL! I haven't bothered overcoming that yet, I'm just doing the Run As... since I'm being lazy

Furthermore, some antivirus software cannot update manually from within a Limited account, if that matters to you. Scheduled automatic updates may work, or may need someone to log in as an Admin (McAfee VirusScan 8.0 being an example of this last one). Kaspersky works good and is also one of the best overall, might check out my suggestion page here for trying the trialware and configuring it.

Plus, she may be breathing down my neck while I'm doing it, and I don't want her to see how it's done.

You should make your own account a Limited account too. When you want to run GPedit.msc or something, Start > Run > cmd to open a command-prompt window, then runas /user:Administrator cmd to open a second CLI window that has Admin-level power. Now gpedit.msc or whatever you're wanting to run, and off it goes. If you want to run Defragmenter or something, right-click > Run As... and give it the Administrator account. Incidentally, that would work for IE as well, if you find an icon other than the "special" IE icons... do the one in Start > Program Files. Then you can run-as IE under the native Administrator account to get to the magic invisible tabs

The Administrator account on a Dell might be named something funky like Dell Customer, so roll with the punches on what the name is

 

[Evenkeel]

Originally posted by: mechBgon
1) unless you explicitly make the system use only one set of rules for all users up in Computer Configuration > Administrative Templates > Windows Components > Internet Explorer (Security Zones: use only machine settings), it will maintain separate sets of rules for each user account anyway, so you would have to make her an Admin, reappear the tabs, adjust the settings under her account, then de-Admin her and disappear the tabs again.

2) Big picture: it shouldn't matter, unless you are doing something exceptionally drastic with the settings. If her browser won't go somewhere or do something using the settings I suggested, it's probably not something it ought to be doing. I use those settings on the systems at work and I'd hear about it if the browsers didn't work for normal legit usage. The browser that routinely gives trouble is FireFox, which the higher-ups demanded that we install it and pimp it in place of IE, but that's another story :evil:

3) log on as the machine's native Administrator account and you should have your full set of IE tabs If you want the machine's native Administrator account to appear all the time at the Welcome screen, you can do that with the AddAdministrator registry goodie here. Otherwise hit CTRL ALT DEL twice at the Welcome screen and use Administrator as the username.

If you're looking to have one set of master controls for the browser, then do enable machine-only settings like I mentioned in #1 here.

In your #1, this is the odd thing, because that "Security Zones: use only machine settings" is not configured, but I still can't separate the settings between the accounts. There must be another setting somewhere, that got changed at some point in the distant past, that's hosing things up. It's probably not something I changed on purpose, because up till now, I've only looked at GPEditor, never touched. It's possible some past antivirus or antispyware program made some changes? Anyway, if you haver any other pointers about where I can look, any other settings I may be overlooking that is causing the two accounts to act as one, please let me know.

As far as your #2, yes I agree. And I have endlessly tried explaining to her that if the security settings keep you from doing something, or accessing a certain website, that is a good thing. If you have ever tried explaining something like this to a 16-year old girl, you can probably imagine how far I get w/it.

At this point, unless you have other suggestions about how I can separate the two account settings--no matter how basic a suggestion; assume I'm a complete moron--I'll have to do it the hard way. Thanks.

 

[mechBgon]

In your #1, this is the odd thing, because that "Security Zones: use only machine settings" is not configured, but I still can't separate the settings between the accounts.

Maybe I'm trying for the wrong goal here. Ok, so you're saying it already copies all of the Security and Privacy settings to every user when anyone changes them, not just for that person's account.

But if she's the primary user of this computer, then why does it matter. Her settings need to be secured, although it's not so critical when the underlying account itself lacks the privilege to do most kinds of harm even when successfully exploited (installing spyware, etc). What's good for the goose is good for the gander... if the secure settings are adopted by the Administrator account and the others, then there's no harm in that, is there? Do you deliberately want the dangerous Admin-level accounts to run with insecure settings or something? Have you run into any actual issues with the secure settings? So far it hasn't given me any problems on our systems, so I'm wondering if you're making mountains out of molehills here.

Otherwise consider a fresh installation of WindowsXP Pro on there, to get the ghosts out if there are any. Since you're looking to set the system up tight, also try out Microsoft Baseline Security Analyzer.

Bigger picture: at 16 years old, I bet she'll be hating this whole Limited thing no matter what you do :evil: "Daaaaaad!!! I keep trying to install _____________ [insert name of spyware-packed program here] but it WON'T INSTALL!!!! :|"

 

[Evenkeel]

Originally posted by: mechBgon

In your #1, this is the odd thing, because that "Security Zones: use only machine settings" is not configured, but I still can't separate the settings between the accounts.

Maybe I'm trying for the wrong goal here. Ok, so you're saying it already copies all of the Security and Privacy settings to every user when anyone changes them, not just for that person's account.

But if she's the primary user of this computer, then why does it matter. Her settings need to be secured, although it's not so critical when the underlying account itself lacks the privilege to do most kinds of harm even when successfully exploited (installing spyware, etc). What's good for the goose is good for the gander... if the secure settings are adopted by the Administrator account and the others, then there's no harm in that, is there? Do you deliberately want the dangerous Admin-level accounts to run with insecure settings or something? Have you run into any actual issues with the secure settings? So far it hasn't given me any problems on our systems, so I'm wondering if you're making mountains out of molehills here.

Otherwise consider a fresh installation of WindowsXP Pro on there, to get the ghosts out if there are any. Since you're looking to set the system up tight, also try out Microsoft Baseline Security Analyzer.

Bigger picture: at 16 years old, I bet she'll be hating this whole Limited thing no matter what you do :evil: "Daaaaaad!!! I keep trying to install _____________ [insert name of spyware-packed program here] but it WON'T INSTALL!!!! :|"

No, basically I guess I wanted something XP can't do, or I'm too dim to figure out just how to do it. What my ultimate goal was, to button down her account so she couldn't change IE settings (easy enough to do by disappearing the tabs), couldn't accidentally hose up some setting from Control Panel (again, same disappearing act as the first), and limit access to certain folders and programs. You do have it right, I'm just beating the hell out of the explanation.

I can live w/the tabs disappeared in my account too, as this is beginning to be a huge pain. And you're right, it is probably something to do w/Dell's install--which is the reason she's getting the old Dell, and I'm typing this on a system I built myself--no more g*dd*mn Dells for me. Maybe at some point I'll get around to a fresh install, but then again, she'll be heading off to college in a couple years, and I'll probably just buy her a new laptop then to take w/her.

A clarification: even tho disappearing the IE tabs in one account makes them also disappear in both accounts, the Security and Privacy settings did not transfer to the second account--I had to go in and change them separately. So this just gets more bizarre: for some settings XP applies one setting to both accounts, and for other settings it keeps them separate. Aaarrgh!

 

[theAnimal]

I've done something similar on my PC with X-Setup.