Sharing files securely

[Eduardo]

Hello,

I'd like to share folders between my Windows XP desktop and my laptop.
I have Windows XP Media Center SP2, and a Linksys WRT54G router.

So my question is about security. Windows complains about sharing files
when I'm directly connected to the Internet, saying everyone on the
Internet would be able to access my files. (?????) I always thought
that Windows file sharing worked at the local subnetwork only...

Anyways, my first guess is that I'm not "directly connected", but my
WRT54G router is my "residential gateway", as Windows calls it. Is it
correct?

If so, is it safe to disable the Windows firewall and rely on the
router firewall, so I can share files locally with my laptop?

Any tips will be appreciated. Thanks in advance!

Eduardo

 

[Doug Knox MS-MVP]

The router firewall should definitely be on, and you can still use XP SP2's firewall, as well, just allow exceptions for File and Print Sharing in the firewall configuration.

 

[David H. Lipman]

From: "Eduardo" <[email protected]>

| Hello,
|
| I'd like to share folders between my Windows XP desktop and my laptop.
| I have Windows XP Media Center SP2, and a Linksys WRT54G router.
|
| So my question is about security. Windows complains about sharing files
| when I'm directly connected to the Internet, saying everyone on the
| Internet would be able to access my files. (?????) I always thought
| that Windows file sharing worked at the local subnetwork only...
|
| Anyways, my first guess is that I'm not "directly connected", but my
| WRT54G router is my "residential gateway", as Windows calls it. Is it
| correct?
|
| If so, is it safe to disable the Windows firewall and rely on the
| router firewall, so I can share files locally with my laptop?
|
| Any tips will be appreciated. Thanks in advance!
|
| Eduardo

As always, I suggest blocking both TCP and UDP ports 135 ~ 139 and 445 on *any* SHO Router.

However, it won't help if the wireless connectivity is NOT properly secured. Otherwise you
will be open to neighbours and "War Driving".

All accounts should have "Strong Passwords" and the guest account be disabled.

 

[Eduardo]

Thanks. Why should the guest account be disabled? From what I found out
on the newsgroups, it's used for Simple File Sharing. Do you recommend
that I use the, uh... "complex" one instead?

Eduardo

 

[David H. Lipman]

From: "Eduardo" <[email protected]>

| Thanks. Why should the guest account be disabled? From what I found out
| on the newsgroups, it's used for Simple File Sharing. Do you recommend
| that I use the, uh... "complex" one instead?
|
| Eduardo

Yes. You should only have named accounts being used with Strong passwords.

 

[Steve Winograd [MVP]]

Thanks. Why should the guest account be disabled? From what I found out
on the newsgroups, it's used for Simple File Sharing. Do you recommend
that I use the, uh... "complex" one instead?

Eduardo

If a computer has Windows XP Home Edition, all access to that
computer's shared disks and folders uses the Guest account. If you
disable the Guest account for network access on that computer, no one
will be able to access your shared disks and folders. The commands to
disable and enable the Guest account for network access are:

net user guest /active:no (disable)
net user guest /active:yes (enable)

Note that disabling or enabling the Guest account in Control Panel |
User Accounts has nothing to do with networking. It determines
whether someone can log on as Guest at the local keyboard.

In Windows XP Professional, you can disable simple file sharing.
Then, network access is controlled by user accounts and permissions
that you create, not the Guest account.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Bob Willard]

Hello,

I'd like to share folders between my Windows XP desktop and my laptop.
I have Windows XP Media Center SP2, and a Linksys WRT54G router.

So my question is about security. Windows complains about sharing files
when I'm directly connected to the Internet, saying everyone on the
Internet would be able to access my files. (?????) I always thought
that Windows file sharing worked at the local subnetwork only...

Anyways, my first guess is that I'm not "directly connected", but my
WRT54G router is my "residential gateway", as Windows calls it. Is it
correct?

If so, is it safe to disable the Windows firewall and rely on the
router firewall, so I can share files locally with my laptop?

Any tips will be appreciated. Thanks in advance!

Eduardo

Your are correct that you should tell Windows that you get to the 'net
via a "residential gateway". That's WinSpeak for a router.

 

[Ted Brewer]

This is very interesting, Steve.

How is this accomplished automatically?

Ted

 

[Steve Winograd [MVP]]

This is very interesting, Steve.

How is this accomplished automatically?

Ted

Hi, Ted. I'm sorry, but I don't understand your question. Please say
more about what you want to accomplish.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Ted Brewer]

Sorry Steve,

How is the "net user guest /active:yes (enable)" line issued? In the
autoexec.bat file??

Ted

 

[Steve Winograd [MVP]]

Sorry Steve,

How is the "net user guest /active:yes (enable)" line issued? In the
autoexec.bat file??

Ted

You only need to run that command once, in the Start | Run box, or in
a command prompt window (Start | Run | cmd).
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Ted Brewer]

Thanks, Steve.

Ted

 

[Ted Brewer]

I finally have what I wanted/needed:

3 pcs:
XP Pro SP2 - Server with ISS 5.1.
Win 98.
WFW.

All 3 pcs can see each other in Network Neighborhood and access shared
devices.

I think the thing that helped me turn the corner was the "restrictanonymous"
setting in the XP machine's registry. It was set to "1". I set it to "0".
The "restrictanonymous" setting was not available in the Win 98 or WFW
machines.
After that, I re-booted all 3 machines, and it seemed to work correctely.

Thanks to all, who gave me bits of info to resolve this.

Ted

 

[Guest]

Steve,
I have been reading threads related to file sharing and this gives me a clue
as to how to set up my sharing situation.

I too, want to share files securely. I have a Windows XP Professional
desktop that is acting as a file server for other systems networked in a
workgroup. I want to be able to share folders so that users from certain
machines on the network can access them and others cannot. I am new to XP
Professional share permissions. When I allow "advanced" sharing I can see the
additional options for sharing. When clicking the Permissions button, I see
the share permissions for group or user names. Right now, all that is there
is the "Everyone" group. As I read your comments, it sounds like I can set up
user accounts under Control Panel > User Accounts that match other user names
with their passowords on the other machines. Then, can these usernames be
added in this Sharing Permissions dialog so that they can be restricted or
permitted as desired? I guess I'm learning how network connections work for
file shares. Do users from another machine in the workgroup connect to my XP
Professional file server as the user name and password they are currently
running under on their local machine? And when share connections are
requested, they are authenticated over the network as that user name and
password on my XP professional server? Therefore, having the identical user
name and password set up on my server allows them to connect using the
permissions set for that user under the sharing permissions dialog?

Further, is there a way to restrict share access by machine or node name
without using a domain, but only when the systems are in a workgroup?

Can shared files from my server in my current workgroup be accessed by a
system which is in another workgroup? In other words, is that one way to
restrict access to shares from a system by simply putting a node in another
workgroup?

I have had an odd experience with sharing from my XP Professional system. I
saw a help note that said you can hide shares by putting "$" on the end of
the share name in the sharing dialog. I have tried this and it works in some
cases. But, I recently tried sharing a folder from the XP Professional
system, naming the share with a "$" on the end; then tried to map to that
share from another system in the same workgroup nearby. It mapped the drive
(you have to explicitly map it to the name because this share name is
invisible) but said the drive was inaccessible.

In taking your ideas, I added passwords to each system that matched what is
on my XP Professional server, then added those users under the sharing
permissions dialog, and then the shares connected as desired. Hiding them
with "$" was fine as well.

I understand that it is best to manage security by groups and tried adding
share permissions by group in the sharing dialog, with the same users as part
of those groups that I want to have access to shares, but access was denied.
This only worked if the "Everyone" group was present in the dialog, or if I
explicitly added them by user name.

I realize this is a lot of verbage - sorry! I am learning how windows
sharing over the network "works" and I really appreciate the help!

 

[Steve Winograd [MVP]]

Steve,
I have been reading threads related to file sharing and this gives me a clue
as to how to set up my sharing situation.

I too, want to share files securely. I have a Windows XP Professional
desktop that is acting as a file server for other systems networked in a
workgroup. I want to be able to share folders so that users from certain
machines on the network can access them and others cannot.

To the best of my knowledge, it isn't possible to control access to
folders based on what machines want to access them. XP Pro bases
access control on user accounts, not on machine names.

I am new to XP
Professional share permissions. When I allow "advanced" sharing I can see the
additional options for sharing. When clicking the Permissions button, I see
the share permissions for group or user names. Right now, all that is there
is the "Everyone" group. As I read your comments, it sounds like I can set up
user accounts under Control Panel > User Accounts that match other user names
with their passowords on the other machines.
Yes.

Then, can these usernames be added in this Sharing Permissions dialog so that
they can be restricted or permitted as desired?
Yes.

I guess I'm learning how network connections work for
file shares. Do users from another machine in the workgroup connect to my XP
Professional file server as the user name and password they are currently
running under on their local machine?

Yes, by default. However, if the user name on the local machine
doesn't exist on the file server, the user will be prompted to enter a
different user name and password. A Windows 2000 or XP user can reply
to the prompt. A Windows 95/98/Me user can't.

And when share connections are
requested, they are authenticated over the network as that user name and
password on my XP professional server? Therefore, having the identical user
name and password set up on my server allows them to connect using the
permissions set for that user under the sharing permissions dialog?
Yes.

Further, is there a way to restrict share access by machine or node name
without using a domain, but only when the systems are in a workgroup?

I'm not aware of any way to restrict share access by machine or node
name in a workgroup or in a domain.

Can shared files from my server in my current workgroup be accessed by a
system which is in another workgroup? In other words, is that one way to
restrict access to shares from a system by simply putting a node in another
workgroup?

Workgroups have no role in security or access control. With the right
user account permissions, a user on a computer in any workgroup can
access shares belonging to a computer in any workgroup.

I have had an odd experience with sharing from my XP Professional system. I
saw a help note that said you can hide shares by putting "$" on the end of
the share name in the sharing dialog. I have tried this and it works in some
cases. But, I recently tried sharing a folder from the XP Professional
system, naming the share with a "$" on the end; then tried to map to that
share from another system in the same workgroup nearby. It mapped the drive
(you have to explicitly map it to the name because this share name is
invisible) but said the drive was inaccessible.

Adding a "$" only hides a share in My Network Places. Anyone who
knows the share name can access it, either by mapping a network drive
to it, or by referencing it directly in the Start | Run box in this
format:

\\computer\share

In taking your ideas, I added passwords to each system that matched what is
on my XP Professional server, then added those users under the sharing
permissions dialog, and then the shares connected as desired. Hiding them
with "$" was fine as well.

Good. I think that you understand how all this works very well.

I understand that it is best to manage security by groups and tried adding
share permissions by group in the sharing dialog, with the same users as part
of those groups that I want to have access to shares, but access was denied.
This only worked if the "Everyone" group was present in the dialog, or if I
explicitly added them by user name.

For examples of how to define and use groups, see this article by Ron
Lowe and me:

Windows XP Professional File Sharing
http://www.practicallynetworked.com/sharing/xp_filesharing/index.htm

I realize this is a lot of verbage - sorry! I am learning how windows
sharing over the network "works" and I really appreciate the help!

I'm glad to help! And you already have a good understanding of a very
complex and confusing subject.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Guest]

Steve,
This is great stuff and I have reviewed a great deal of sharing and
file/folder security information. I'm gradually getting it! Your article your
referred to is very useful.

I still have a couple of questions lurking in the back of my mind. I have
been trying various sharing and security settings. As I learn about this, it
seems that the Guest account and Everyone group have essentially the same
function. Is the Everyone group for anyone without an explicit account on the
XP server machine? So that if I remove it, as I have, only people with
accounts can access my XP Pro server system? Or, withouth any Everyone share
permission, an unkown user will be prompted for another user and password?
So, if you keep the Everyone group, does this mean that an unkown user can
access the share without being prompted for a userid and password? BTW, I
have disabled the Guest account under Computer Administration.

I also need to understand the interaction of share permissions (first gate)
and then file permissions (second gate). I have set up share permissions by
group to allow specific permissions. Let's say one group only has Read
permission under sharing permissions. Let's say then under the Security tab
for file/folder permissions, the Users group is present with Read, Write, and
Execute permission. Does this mean that a remote use with only Read share
permission could then modify files because once connected, via the Users
group, they now have Write permission? Or does the share permission control
whatever is shown under the file/folder Security settings?

I am also wondering what the effect of the Everyone group is when in the
permissions list for file/folder security (not the share ACL). In subfolders
in My Documents, I notice the Everyone group has permission to Read, Write,
and Modify files. Let's say I have shared this particular folder and there is
no Everyone group on the share ACL, but another group with the users I want
to have explicit share access permissions that is Read only. Once they
connect to the share, does the Everyone group on the security tab for
file/folder permissions allow them to Modify the files? I was considering
making explicit security settings propagated from My Documents throughout all
child objects in that folder without the Everyone group, so there is no risk
of remote users being able to modify these files. But I don't want to cause
unintended side effects due to my lack of understanding of what that might do
in the bigger picture.

I also have a user account that was created as an administrator and found
that easiest to make sure all software could be installed and run under that
user's account. There were problems when the user was just a "limited" user.
Now that I am getting very specific about permissions, I want to remove that
user from the Administrators group, but still permit software installation
and execution on that user's login. I explicitly specify the Administrator's
Group and Power User's group for share access permissions, though I don't
want this particular user in those groups. Is there a way that this user can
still do what is needed and not be in the Administrator or Power User Group?

Thanks!

 

[Steve Winograd [MVP]]

Steve,
This is great stuff and I have reviewed a great deal of sharing and
file/folder security information. I'm gradually getting it! Your article your
referred to is very useful.

Thanks. You're asking very good questions about a very confusing
subject, and I'll answer them as best I can. If I get something
wrong, I hope that Ron Lowe (or anyone else who understands this
better than I do) will jump in and correct it.

I still have a couple of questions lurking in the back of my mind. I have
been trying various sharing and security settings. As I learn about this, it
seems that the Guest account and Everyone group have essentially the same
function.

They have similar functions, but in mutually exclusive circumstances.
The Guest account is only relevant if simple file sharing is enabled.
The Everyone group is only relevant if simple file sharing is
disabled.

Regarding the Guest account:

1. Enabling or disabling the Guest account in Control Panel | User
Accounts has nothing to do with networking. It controls whether
someone can log on to a computer as Guest at the local keyboard.

2. With simple file sharing enabled, a Windows XP Pro server forces
all users on all computers to access its shared disks and folders
through the Guest account, regardless of the actual account being
used. You can control Guest access to shares with these commands:

net user guest /active:no ; disables Guest, blocks access to all
net user guest /active:yes ; enables Guest, allows access to all

2. With simple file sharing disabled on a Windows XP server, the Guest
account has no role in share access.

The rest of my answers apply to a server computer running Windows XP
Professional with simple file sharing disabled. I'm not addressing
servers with simple file sharing enabled.

With one exception that I note below, it makes no difference what
operating system a client computer is running.

Is the Everyone group for anyone without an explicit account on the
XP server machine?

No, just the opposite. The Everyone group includes everyone who has
an explicit account.

The Everyone group is simply a convenience. It's easier to give
permission to the Everyone group than to give individual permission to
each user account.

So that if I remove it, as I have, only people with
accounts can access my XP Pro server system?

Only people with accounts on an XP Pro server can access shares on
that server. It makes no difference whether the Everyone group has
permission.

Or, withouth any Everyone share
permission, an unkown user will be prompted for another user and password?

Everyone permission is irrelevant to an unknown user, because the
Everyone group only contains known users.

When an unknown user requests share access, an XP Pro server replies
with a request to log on with different credentials. The result
depends on the client computer's operating system:

1. Windows 2000 and XP display a logon prompt, allowing the user to
enter a different user name and/or password.

2. Windows 95/98/Me display a prompt for the IPC$ (Interprocess
Communication) password. There's no correct reply to this prompt, and
access to the server isn't possible.

BTW, a user will be unknown if the user name doesn't exist on the
server, or if the user name is the same on the client and server but
the password for that user is different between them.

So, if you keep the Everyone group, does this mean that an unkown user can
access the share without being prompted for a userid and password?

No. Unknown users can't access XP Pro shares.

BTW, I have disabled the Guest account under Computer Administration.

I'm sorry, but I don't know what you mean by "Computer
Administration". What exactly did you do?

I also need to understand the interaction of share permissions (first gate)
and then file permissions (second gate). I have set up share permissions by
group to allow specific permissions. Let's say one group only has Read
permission under sharing permissions. Let's say then under the Security tab
for file/folder permissions, the Users group is present with Read, Write, and
Execute permission. Does this mean that a remote use with only Read share
permission could then modify files because once connected, via the Users
group, they now have Write permission? Or does the share permission control
whatever is shown under the file/folder Security settings?

To have a particular type of access, a user needs permission on both
the share and the file. In Boolean algebra terms:

network access permission = share permission AND file permission

So, a user connecting through a read-only share can only have read
access to a file, and then only if the file permissions allow it.

[remainder snipped]

I'm sorry, but I've run out of time for now. I'll be glad to answer
the rest of your questions later.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Guest]

Steve,
Thanks so much for your efforts.
Just a quick reply to your question to clarify what I meant when I said I
diabled the Guest account under "Computer Administration."

I did this by going to Administrative Tools > Computer Management and then
clicking on "Local Users and Groups" > "Users." There are my local user
accounts, including the Guest account. I disabled it there via its Properties.

Steve,
This is great stuff and I have reviewed a great deal of sharing and
file/folder security information. I'm gradually getting it! Your article your
referred to is very useful.

Thanks. You're asking very good questions about a very confusing
subject, and I'll answer them as best I can. If I get something
wrong, I hope that Ron Lowe (or anyone else who understands this
better than I do) will jump in and correct it.

I still have a couple of questions lurking in the back of my mind. I have
been trying various sharing and security settings. As I learn about this, it
seems that the Guest account and Everyone group have essentially the same
function.

They have similar functions, but in mutually exclusive circumstances.
The Guest account is only relevant if simple file sharing is enabled.
The Everyone group is only relevant if simple file sharing is
disabled.

Regarding the Guest account:

1. Enabling or disabling the Guest account in Control Panel | User
Accounts has nothing to do with networking. It controls whether
someone can log on to a computer as Guest at the local keyboard.

2. With simple file sharing enabled, a Windows XP Pro server forces
all users on all computers to access its shared disks and folders
through the Guest account, regardless of the actual account being
used. You can control Guest access to shares with these commands:

net user guest /active:no ; disables Guest, blocks access to all
net user guest /active:yes ; enables Guest, allows access to all

2. With simple file sharing disabled on a Windows XP server, the Guest
account has no role in share access.

The rest of my answers apply to a server computer running Windows XP
Professional with simple file sharing disabled. I'm not addressing
servers with simple file sharing enabled.

With one exception that I note below, it makes no difference what
operating system a client computer is running.

Is the Everyone group for anyone without an explicit account on the
XP server machine?

No, just the opposite. The Everyone group includes everyone who has
an explicit account.

The Everyone group is simply a convenience. It's easier to give
permission to the Everyone group than to give individual permission to
each user account.

So that if I remove it, as I have, only people with
accounts can access my XP Pro server system?

Only people with accounts on an XP Pro server can access shares on
that server. It makes no difference whether the Everyone group has
permission.

Or, withouth any Everyone share
permission, an unkown user will be prompted for another user and password?

Everyone permission is irrelevant to an unknown user, because the
Everyone group only contains known users.

When an unknown user requests share access, an XP Pro server replies
with a request to log on with different credentials. The result
depends on the client computer's operating system:

1. Windows 2000 and XP display a logon prompt, allowing the user to
enter a different user name and/or password.

2. Windows 95/98/Me display a prompt for the IPC$ (Interprocess
Communication) password. There's no correct reply to this prompt, and
access to the server isn't possible.

BTW, a user will be unknown if the user name doesn't exist on the
server, or if the user name is the same on the client and server but
the password for that user is different between them.

So, if you keep the Everyone group, does this mean that an unkown user can
access the share without being prompted for a userid and password?

No. Unknown users can't access XP Pro shares.

BTW, I have disabled the Guest account under Computer Administration.

I'm sorry, but I don't know what you mean by "Computer
Administration". What exactly did you do?

I also need to understand the interaction of share permissions (first gate)
and then file permissions (second gate). I have set up share permissions by
group to allow specific permissions. Let's say one group only has Read
permission under sharing permissions. Let's say then under the Security tab
for file/folder permissions, the Users group is present with Read, Write, and
Execute permission. Does this mean that a remote use with only Read share
permission could then modify files because once connected, via the Users
group, they now have Write permission? Or does the share permission control
whatever is shown under the file/folder Security settings?

To have a particular type of access, a user needs permission on both
the share and the file. In Boolean algebra terms:

network access permission = share permission AND file permission

So, a user connecting through a read-only share can only have read
access to a file, and then only if the file permissions allow it.

[remainder snipped]

I'm sorry, but I've run out of time for now. I'll be glad to answer
the rest of your questions later.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Steve Winograd [MVP]]

Steve,
Thanks so much for your efforts.

You're welcome, EJC.

Just a quick reply to your question to clarify what I meant when I said I
diabled the Guest account under "Computer Administration."

I did this by going to Administrative Tools > Computer Management and then
clicking on "Local Users and Groups" > "Users." There are my local user
accounts, including the Guest account. I disabled it there via its Properties.

I think that's the same as disabling the Guest account in Control
Panel | User Accounts. It determines whether
someone can log on to a computer as Guest at the local keyboard, and
it has no effect on networking.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Steve Winograd [MVP]]

[large snip, previously answered]

I am also wondering what the effect of the Everyone group is when in the
permissions list for file/folder security (not the share ACL). In subfolders
in My Documents, I notice the Everyone group has permission to Read, Write,
and Modify files. Let's say I have shared this particular folder and there is
no Everyone group on the share ACL, but another group with the users I want
to have explicit share access permissions that is Read only. Once they
connect to the share, does the Everyone group on the security tab for
file/folder permissions allow them to Modify the files? I was considering
making explicit security settings propagated from My Documents throughout all
child objects in that folder without the Everyone group, so there is no risk
of remote users being able to modify these files. But I don't want to cause
unintended side effects due to my lack of understanding of what that might do
in the bigger picture.

This question is so complicated that I wouldn't answer it without
actually testing it on a live computer.

So, I suggest that you test it, see how it works, and then post a news
group reply with what you find out. To avoid undesired side effects
on a real folder, you can create a test folder, share it, copy some
other folders and documents into it, set up permissions, and
experiment with the permissions and networked access.

I also have a user account that was created as an administrator and found
that easiest to make sure all software could be installed and run under that
user's account. There were problems when the user was just a "limited" user.

Administrator or Power User permission shouldn't be needed to run a
program that was written for Windows XP. It might be needed to run
some legacy programs.

Now that I am getting very specific about permissions, I want to remove that
user from the Administrators group, but still permit software installation
and execution on that user's login. I explicitly specify the Administrator's
Group and Power User's group for share access permissions, though I don't
want this particular user in those groups. Is there a way that this user can
still do what is needed and not be in the Administrator or Power User Group?

Not that I know of.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com