Create limited account with more than Default limits

H

Harry Putnam

Running (trying to run) a home lan linux based but with several winXP
componenents.

First off, my background is nearly all unix or linux so I don't really
talk the talk when it comes to configuring windows xp boxes.

I have things working as needed but need some help on how one goes
about setting up an account on a winXP (home edition) machine that has
limited rights. And here I mean more limits in place than the
defaults I guess.

I've used the user account dialog to set up a limited account but
users of such an account are still able to install such things as
Yahoo search bar, yahoo mail or the like.

I'd like the restricted account to not be able to install anything
that might affect another accounts browser or any other application.
Both of the above do that.

How can I set limits like that on an account?
 
C

Colin Nash [MVP]

Harry Putnam said:
Running (trying to run) a home lan linux based but with several winXP
componenents.

First off, my background is nearly all unix or linux so I don't really
talk the talk when it comes to configuring windows xp boxes.

I have things working as needed but need some help on how one goes
about setting up an account on a winXP (home edition) machine that has
limited rights. And here I mean more limits in place than the
defaults I guess.

I've used the user account dialog to set up a limited account but
users of such an account are still able to install such things as
Yahoo search bar, yahoo mail or the like.

I'd like the restricted account to not be able to install anything
that might affect another accounts browser or any other application.
Both of the above do that.

How can I set limits like that on an account?
Click to expand...

Limited accounts are not able to install software that would affect other
accounts. If this is happening, something is wrong. It would be a good
idea to ensure your hard drive is formatted using NTFS, to take advantage of
all the security features available. You can convert without losing any
data. See http://support.microsoft.com/default.aspx?scid=kb;en-us;307881
However, I believe that doing this after the fact will not apply the default
file security that you would get with a clean install, and XP Home has no
easy way for you to reapply these settings (I stand to be corrected here
because I don't have an XP Home machine available right now.)

However, they are able to install software that exists only within their own
user profile. If you want to restrict things further, you can look at this
free utility from Microsoft:
http://www.microsoft.com/windowsxp/sharedaccess/default.mspx (Shared
Computer Toolkit for Windows XP)
 
H

Harry Putnam

Colin Nash said:
Limited accounts are not able to install software that would affect other
accounts. If this is happening, something is wrong. It would be a good
idea to ensure your hard drive is formatted using NTFS, to take advantage of
all the security features available. You can convert without losing any
data. See http://support.microsoft.com/default.aspx?scid=kb;en-us;307881
However, I believe that doing this after the fact will not apply the default
file security that you would get with a clean install, and XP Home has no
easy way for you to reapply these settings (I stand to be corrected here
because I don't have an XP Home machine available right now.)

However, they are able to install software that exists only within their own
user profile. If you want to restrict things further, you can look at this
free utility from Microsoft:
http://www.microsoft.com/windowsxp/sharedaccess/default.mspx (Shared
Computer Toolkit for Windows XP)
Click to expand...

Thanks for the input... what I see here seems to contradict what
you've mentioned. A user installs Yahoo mail on a limited account.
That act resets the browser homepage a different users
(unlimited/admin) account.

What kind of thing could cause this, if as you say it has to mean
something is wrong?

One possibility that comes to mind is that the limited user is
actually slyly using an unlimited account to make the install.

I haven't had time to test this out by creating a another limited
account and experimenting.
 
C

Colin Nash [MVP]

Harry Putnam said:
Thanks for the input... what I see here seems to contradict what
you've mentioned. A user installs Yahoo mail on a limited account.
That act resets the browser homepage a different users
(unlimited/admin) account.

What kind of thing could cause this, if as you say it has to mean
something is wrong?

One possibility that comes to mind is that the limited user is
actually slyly using an unlimited account to make the install.

I haven't had time to test this out by creating a another limited
account and experimenting.
--
Click to expand...


Interesting... the home page is stored in the registry, under
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer which is only
accessible to... the current user (or administrators can manipulate it.)
Are you using IE? If you use something like Firefox or Opera maybe it
stores this info in an area that is less well-protected? (Not trying to
start a browser debate here!!!)

To really figure this out, you could use utilities like Filemon and Regmon
to determine where the Yahoo mail installer (or other things) are writing to
in the filesystem or registry.

http://www.sysinternals.com/Utilities/Filemon.html
http://www.sysinternals.com/Utilities/Regmon.html

Both of these need to run with admin rights though, as they use the "debug
programs" privilege which is granted only to Administrators (you can't
easily change that in XP Home either.) But still, you could monitor what
files and registry keys are being modified. Then you can look at locking
that area down.

One of the big differences between Administrator and limited user is the
difference in access to various system files and folders on the hard drive.
But this only happens if you are using NTFS: otherwise everything is wide
open on the drive.
 
H

Harry Putnam

Colin Nash said:
Interesting... the home page is stored in the registry, under
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer which is only
accessible to... the current user (or administrators can manipulate it.)
Are you using IE? If you use something like Firefox or Opera maybe it
stores this info in an area that is less well-protected? (Not trying to
start a browser debate here!!!)

To really figure this out, you could use utilities like Filemon and Regmon
to determine where the Yahoo mail installer (or other things) are writing to
in the filesystem or registry.
Click to expand...

Thanks again Colin,
I guess I'll have to research and experiment on this .. its becoming
kind of interesting to me too.

Incidently, in this case the affected (other user account) browser was
firefox.

Not sure yet what if anything happens to IE. But I will try it out
today by creating another limited account and using the tools you
pointed out.

Are you interested enough that I should post results?
 
C

Colin Nash [MVP]

Harry Putnam said:
Thanks again Colin,
I guess I'll have to research and experiment on this .. its becoming
kind of interesting to me too.

Incidently, in this case the affected (other user account) browser was
firefox.

Not sure yet what if anything happens to IE. But I will try it out
today by creating another limited account and using the tools you
pointed out.

Are you interested enough that I should post results?
--
Click to expand...


Sure thing. I'll check back.

-Colin
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

XP Guest account...administrator denied access 4
Using Same Account as both Admin and Limited User 9
Cannot create a folder in Limited User Account 4
Security policy for a limited account 4
limited account but still able to play games 2
more user account options? 1
flash for limited account ? 1
Logon Password problem 1

Top