Q: XP child-proofing ?

X

x9012590125

Hi all.

PROBLEM:
=======

- 2 PC's running XP Pro, networked via ADSL router
- Downstairs is the 'family' PC, and upstairs the kids' PC
- Downstairs PC is for the parents, and upstairs PC is for the kids
- Each PC has a username for each member of the family:
Downstairs: parents are admins, kids are normal users (restricted)
Upstairs: parents are admins, kids are also admins (temporarily)


Parents want to prevent kids from going where/accessing what they're
not supposed to; download/install stuff that may corrupt the PC, or the
whole network (viruses, spywares, etc). Yet, kids should be free to
install games (ie. from CD/DVD), whose setups may modify the system
(requiring admin rights).


The biggest problem is with the boy (12): he loves to experiment... has
absolutely *no* idea what he's doing; has *no* notion of what safe or
destructive is; clicks on *everything*, opens *every* file/attachment
in MSN Messenger and Outlook Express, etc. A byte-size version of the
Tasmanian devil... heaven for an system admin! :0

The girl (11) doesn't experiment, but she likes to play games, and do
email/MSN. She's not dangerous (yet), but could still get (the system)
in trouble...


SCENARIOS:
=========

1)

Easiest solution of course, is to set both kids as restricted users,
upstairs and downstairs. However, some games require admin rights to
install certain files/device drivers; and/or to modify the registry.

So if daddy installs a game, often the kids won't be able to run it
because the admin rights are no longer present. Also a pain in the ass
for daddy!


2)

If I create a separate admin-user called "power"; and make it so that
username cannot logon interactively... Theoretically, if a restricted
user right-clicks on "SETUP.EXE", and selects "Run as..." and selects
"power", the install program should run with admin rights (like 'sudo'
in Linux).

What I'd like to know is...

- Would it work in all situations?

- What if the install program invokes other programs (ie. "SETUP.EXE"
calls "SETUP2.EXE", etc); would the credentials be inherited through
the chain?


3)

I have other ideas, but I'm not sure if any of them are adequate and
low/no maintenance:

* (ZAK) Zero Administration Toolkit [NT/2000]
* (SCT) Shared Computer Toolkit [XP]
* (GPO) Group policies [XP]

I heard about the ZAK some years back, but I never used it, nor know of
anyone who has implemented it in a non-corporate environment to control
the brat-pack.

The SCT seems to target public computers (in libraries, internet cafes,
etc), who need to reset to an initial configuration after user logoff,
or periodically. Not applicable.

And GPO's are quite tricky to configure/implement (ie. some
restrictions impact multiple components, etc).


So anyone have an easy, manageable and low maintenance solution?

I'm all eyes... ;)
Thanks!!

Mark T.

PS: Email is a decoy; please reply within thread.
 
S

Steven L Umbach

That is a bad situation if they want the kids to be able to install and run
all software. If a parent could install the software and then the software
be configured to run as a regular user that would be the best solution.
Often the limited user just needs modify access to the folder where the
application is installed in program files folder and to it's registry key in
HKLM\software though it can be more complicated than that and not even be
possible for some poorly written applications where the developers assume
the end user will always be an administrator.

Leaving the children as administrators or power users will lead to more
problems and by all means make sure they are not administrators any more on
parent computers. The Shared Computer Toolkit is a usually a better option
than Group Policy when computers are not in an Active Directory domain.
Runas requires that the user know administrator credentials though there are
runas replacements such as cpau free from Joeware.net and written by
Microsoft MVP Joe Richards that can do the same as runas an encode the
credentials so that the user can not easily see them. That may be something
you can work with. Another thing I would look at is using an image program
like Ghost that is available with some versions on SystemWorks and create
Ghost images of their computer when they are clean and with basic
applications, patches, and service pack installed. Then when things get
screwed up really bad the system partition can be quickly restored from a
Ghost image. Users should also be trained how to back up their important
data files to external media such as DVD/cdrom as that can be easily lost or
compromised on an infected or hacked computer. Of course I assume that
computers will be set up with antivirus that can automatically be updated,
scan all emails, etc and to keep current with critical updates. --- Steve

http://www.joeware.net/win/free/tools/cpau.htm

Hi all.

PROBLEM:
=======

- 2 PC's running XP Pro, networked via ADSL router
- Downstairs is the 'family' PC, and upstairs the kids' PC
- Downstairs PC is for the parents, and upstairs PC is for the kids
- Each PC has a username for each member of the family:
Downstairs: parents are admins, kids are normal users (restricted)
Upstairs: parents are admins, kids are also admins (temporarily)


Parents want to prevent kids from going where/accessing what they're
not supposed to; download/install stuff that may corrupt the PC, or the
whole network (viruses, spywares, etc). Yet, kids should be free to
install games (ie. from CD/DVD), whose setups may modify the system
(requiring admin rights).


The biggest problem is with the boy (12): he loves to experiment... has
absolutely *no* idea what he's doing; has *no* notion of what safe or
destructive is; clicks on *everything*, opens *every* file/attachment
in MSN Messenger and Outlook Express, etc. A byte-size version of the
Tasmanian devil... heaven for an system admin! :0

The girl (11) doesn't experiment, but she likes to play games, and do
email/MSN. She's not dangerous (yet), but could still get (the system)
in trouble...


SCENARIOS:
=========

1)

Easiest solution of course, is to set both kids as restricted users,
upstairs and downstairs. However, some games require admin rights to
install certain files/device drivers; and/or to modify the registry.

So if daddy installs a game, often the kids won't be able to run it
because the admin rights are no longer present. Also a pain in the ass
for daddy!


2)

If I create a separate admin-user called "power"; and make it so that
username cannot logon interactively... Theoretically, if a restricted
user right-clicks on "SETUP.EXE", and selects "Run as..." and selects
"power", the install program should run with admin rights (like 'sudo'
in Linux).

What I'd like to know is...

- Would it work in all situations?

- What if the install program invokes other programs (ie. "SETUP.EXE"
calls "SETUP2.EXE", etc); would the credentials be inherited through
the chain?


3)

I have other ideas, but I'm not sure if any of them are adequate and
low/no maintenance:

* (ZAK) Zero Administration Toolkit [NT/2000]
* (SCT) Shared Computer Toolkit [XP]
* (GPO) Group policies [XP]

I heard about the ZAK some years back, but I never used it, nor know of
anyone who has implemented it in a non-corporate environment to control
the brat-pack.

The SCT seems to target public computers (in libraries, internet cafes,
etc), who need to reset to an initial configuration after user logoff,
or periodically. Not applicable.

And GPO's are quite tricky to configure/implement (ie. some
restrictions impact multiple components, etc).


So anyone have an easy, manageable and low maintenance solution?

I'm all eyes... ;)
Thanks!!

Mark T.

PS: Email is a decoy; please reply within thread.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top