Multiple workgroup isolation on one LAN

[Gary Richtmeyer]

Environment: a church with DSL into a router and many PCs of all "flavors",
including XP Pro (currently using simple file sharing), XP Home, ME and 98
SE. The requirement is to put a some PCs into workgroup "A", give them
Internet access and allow them to share files and printers among themselves.
Put other PCs into workgroup "B", give them Internet access and allow them
to share files and printers among themselves. BUT, do not allow any PCs in
workgroup "A" to access any resources within workgroup "B", and vice versa.

In setting up a test environment, PCs in both workgroups are able to access
the Internet; so far, so good.

However, PC's in "A" are able to access the shared files & printers within
"B" and the PC's in "B" are able to access the shared files & printers in
"A", which is NOT what they want -- they want resource availability limited
to just those PCs within that workgroup. (In case somebody asks, it's not
really feasible to limit by *userid* as many PCs have multiple users sharing
the same PC, each with their own userid.)

I thought that the whole purpose of workgroups was to allow resource
isolation on a workgroup level, but that's evidently not what's happening.
Is there something I need to do to accomplish this, or am I mistaken about
the concept?

I hope the answer is not that they have to go to a domain concept -- I don't
believe they have the resources, both PC and administrative, to run that
type of environment -- they want something simple.

Need some guidance.

-- Gary Richtmeyer

 

[Malke]

Environment: a church with DSL into a router and many PCs of all
"flavors", including XP Pro (currently using simple file sharing), XP
Home, ME and 98
SE. The requirement is to put a some PCs into workgroup "A", give
them Internet access and allow them to share files and printers among
themselves. Put other PCs into workgroup "B", give them Internet
access and allow them
to share files and printers among themselves. BUT, do not allow any
PCs in workgroup "A" to access any resources within workgroup "B", and
vice versa.

In setting up a test environment, PCs in both workgroups are able to
access the Internet; so far, so good.

However, PC's in "A" are able to access the shared files & printers
within "B" and the PC's in "B" are able to access the shared files &
printers in "A", which is NOT what they want -- they want resource
availability limited
to just those PCs within that workgroup. (In case somebody asks, it's
not really feasible to limit by *userid* as many PCs have multiple
users sharing the same PC, each with their own userid.)

I thought that the whole purpose of workgroups was to allow resource
isolation on a workgroup level, but that's evidently not what's
happening. Is there something I need to do to accomplish this, or am I
mistaken about the concept?

I hope the answer is not that they have to go to a domain concept -- I
don't believe they have the resources, both PC and administrative, to
run that type of environment -- they want something simple.

Need some guidance.

-- Gary Richtmeyer

You need to set up a second router using a different subnet for the
other workgroup. Obviously, this will mean running another dsl line
(not another dsl *account*). Router 1: 192.168.1.1; Router 2:
192.168.2.1.

Malke

 

[Ross Durie]

You could split the XP machines (turn simple file sharing off) from the
9x/Me machines. Then if the 9x/Me machines don't have accounts on the XP
machines they simply can't access them. Internet access is as now.

 

[Gary Richtmeyer]

You need to set up a second router using a different subnet for the
other workgroup. Obviously, this will mean running another dsl line
(not another dsl *account*). Router 1: 192.168.1.1; Router 2:
192.168.2.1.

Malke
--
MS MVP - Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"

Malke,

Thanks for the idea, in essence, a network within a network. I just need
another router, than connect one of the ports of the first router to the WAN
input on the 2nd router, then configure the 2nd router to a unique subnet.
All PCs connected to the 2nd router will not be able to "see" the PCs on the
first router, right? I assume vice versa is true too (PCs on the first
router can't see the PCs on the 2nd router), right?

Given the above, I obviously misunderstood the purpose of workgroups. Do
they actually serve a useful function other than logically grouping some
resources together -- which really doesn't accomplish that much in this
case?

-- Gary Richtmeyer

 

[Malke]

Malke,

Thanks for the idea, in essence, a network within a network. I just
need another router, than connect one of the ports of the first router
to the WAN input on the 2nd router, then configure the 2nd router to a
unique subnet. All PCs connected to the 2nd router will not be able to
"see" the PCs on the
first router, right? I assume vice versa is true too (PCs on the
first router can't see the PCs on the 2nd router), right?

Given the above, I obviously misunderstood the purpose of workgroups.
Do they actually serve a useful function other than logically grouping
some resources together -- which really doesn't accomplish that much
in this case?

-- Gary Richtmeyer

No, not a "network within a network". Two networks using the same
Internet connection. Of course Workgroups are useful. You can have
computers on the same network sharing the same Internet connection but
not sharing any files or resources. When I connect a client computer to
my network to get high-speed Internet connectivity, the client computer
automatically is on my subnet; i.e., gets an IP address from my router
of 192.168.1.xxx/255.255.255.0, but I don't join it to my Workgroup.

I am going to suggest that you have a professional come in and set up
your network properly. It should not be very expensive and you will be
sure that you are set up correctly and securely. It is always a mistake
to set up a business network without really knowing what you are doing.
Incorrect networking/security can put your church's data at risk.

Good luck,

Malke

 

[Gary Richtmeyer]

Malke, thanks for the response. I have a follow-up for clarification on one
of your points:

You can have
computers on the same network sharing the same Internet connection but
not sharing any files or resources. When I connect a client computer to
my network to get high-speed Internet connectivity, the client computer
automatically is on my subnet; i.e., gets an IP address from my router
of 192.168.1.xxx/255.255.255.0, but I don't join it to my Workgroup.

I understand the Internet connectivity. I can connect my laptop (defined as
in the "RANGER" workgroup) into the church's router and will indeed get an
IP of 192.168.1.xxx and can then access the Internet.

However, I don't understand your comment "but I don't join it to my
Workgroup." The church's office PCs are in the "WHBC" group and my laptop
is in the "RANGER" workgroup, but I can easily access their shared disks
(they use simple file sharing) without changing the laptop's workgroup. I
just show the Entire Network (which displays both the WHBC and the RANGER
networks), then select WHBC, then the appropriate church PC, then it's
resources. No "joining" was needed.

This is the reason for my original question -- in the above configuration,
shouldn't the RANGER PC be prevented from seeing the WHBC PCs?

Good luck,

Malke
--
MS-MVP Windows User/Shell
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic"

-- Gary Richtmeyer

 

[CZ]

Malke wrote:
You can have

computers on the same network sharing the same Internet connection but
not sharing any files or resources. When I connect a client computer to
my network to get high-speed Internet connectivity, the client computer
automatically is on my subnet; i.e., gets an IP address from my router
of 192.168.1.xxx/255.255.255.0, but I don't join it to my Workgroup.

Gary wrote:
I understand the Internet connectivity. I can connect my laptop (defined as
in the "RANGER" workgroup) into the church's router and will indeed get an
IP of 192.168.1.xxx and can then access the Internet.

However, I don't understand your comment "but I don't join it to my
Workgroup." The church's office PCs are in the "WHBC" group and my laptop
is in the "RANGER" workgroup, but I can easily access their shared disks
(they use simple file sharing) without changing the laptop's workgroup. I
just show the Entire Network (which displays both the WHBC and the RANGER
networks), then select WHBC, then the appropriate church PC, then it's
resources. No "joining" was needed.

This is the reason for my original question -- in the above configuration,
shouldn't the RANGER PC be prevented from seeing the WHBC PCs?

Gary:
I just tried to duplicate your church situation (user in workgp A can
see/access workgp B shares) and could not do it, but I have seen it happen.
You were using the NetBT based browsing system, as I was in my attempt to
duplicate your church situation. However, I can use Start: Run: \\x.x.x.x
to see/use the shares in another workgp provided the non-NetBT based TCP
port 445 networking system works on both ends, even when the NetBT based
browsing system does not work.

If you are concerned about security, and the other computers are using Home,
which only allows network connections via the Guest acct (aka simple file
sharing), then you have a problem. If you had XP Pro, you could disable
simple file sharing, and require custom user acct authentication for shared
object access.

 

[Malke]

Malke wrote:
You can have

Gary wrote:
I understand the Internet connectivity. I can connect my laptop
(defined as in the "RANGER" workgroup) into the church's router and
will indeed get an IP of 192.168.1.xxx and can then access the
Internet.

However, I don't understand your comment "but I don't join it to my
Workgroup." The church's office PCs are in the "WHBC" group and my
laptop is in the "RANGER" workgroup, but I can easily access their
shared disks
(they use simple file sharing) without changing the laptop's
workgroup. I just show the Entire Network (which displays both the
WHBC and the RANGER networks), then select WHBC, then the appropriate
church PC, then it's
resources. No "joining" was needed.

This is the reason for my original question -- in the above
configuration, shouldn't the RANGER PC be prevented from seeing the
WHBC PCs?

Gary:
I just tried to duplicate your church situation (user in workgp A can
see/access workgp B shares) and could not do it, but I have seen it
happen. You were using the NetBT based browsing system, as I was in my
attempt to
duplicate your church situation. However, I can use Start: Run:
\\x.x.x.x to see/use the shares in another workgp provided the
non-NetBT based TCP port 445 networking system works on both ends,
even when the NetBT based browsing system does not work.

If you are concerned about security, and the other computers are using
Home, which only allows network connections via the Guest acct (aka
simple file
sharing), then you have a problem. If you had XP Pro, you could
disable simple file sharing, and require custom user acct
authentication for shared object access.

Thanks for that great explanation, CZ. I've never had anything but Pro
and other operating systems in my own network, so I've never seen that
situation either. I still feel that even though this is for a church,
good network setup with excellent security is crucial. Gary, here are
some very good links to help you with networking (although the easiest,
safest, and quickest thing to do is just hire someone who knows what
they are doing):

http://www.smallnetbuilder.com/
http://www.wown.info/
http://www.practicallynetworked.com/
http://www.michna.com/kb/wxnet.htm - Small Network Troubleshooter by
Hans-Georg Michna

Malke

 

[CZ]

Update re: a user in workgp A can see/access workgp B shares

Gary:

I just tried again, and this time it worked.

Situation:
Win2k3 server as a standalone server (not a DC, no domain), and Win XP Pro
SP2.
Each is in a different workgp, and each is setup for NetBT file sharing.

Using My Network Places, the XP ws can see/use shares in both workgps.

 

[Gary Richtmeyer]

CZ,

Thanks for the responses.

Malke,

Thanks for the links. As for the church getting an "expert", for reasons
not worth going into here, I'm it. I've got a fair amount of experience in
a lot of PC-related things, but admit that my networking experience is
limited, especially when considering the church has just about every Win OS
available on their network (98SE, ME, 2K, XP Home and Pro).

If all were XP Pro, it'd be simple -- but when you consider all the
permutations of 1) OS, 2) resource-shared-by-all, 3)
resource-shared-by-some, 4) R/O resource vs R/W resource, and 5)
serially-reusable-resource (only one user at a time) -- let's just say that
I'm looking at this as a learning experience!

-- Gary Richtmeyer