Hi Pinto1Uk:
If you are running Windows XP and are using the NTFS file system, there are
many things you can do to lock down your system to prevent unwanted
activities of your kids.
By password-protecting your primary (Administrator-level) User Account and
creating one or more non-Administrator User accounts (Say, "Kids" or "Fun"),
you can secure the files of the operating system, application, and other
folders to prevent most changes to important files and even prevent the
Account from being able to purge its history footprint files.
Entire applications and utilities can be prevented from use by this account
by removing the Excecute (X) privilege on the executable files for these
programs. Changing Folder permissions to Read-Execute (RX) instead of Full
Access or Change (RWXD) prevents the modification of existing programs and
the installation of new ones.
Changing a Folder's permissions to Write Only (W) prevents the contents of a
folder from being browsed (or listed), thus making it very hard to purge its
contents. The Read (R) permission for a directory controls whether the files
in the directory can be listed, or browsed with the Windows Explorer. The
Execute (X) permission for a directory controls whether the user can change
the current directory to that folder.
Finally, using Group Policy Editor, system policies can be enabled that
remove many elements from the user interface: Disabline the Run... command,
removing the Control Panel from the Start Menu and the Explorer, and many
other settings to restrict access to only approved features of the system.
This is not a particularly simple thing to accomplish, and it requires
Windows XP Professional or Media Center Edition, because the Home Edition
uses a much-simplified security structure. However, it is very powerful, and
can prevent corruption of the operating system from malicious code and
hacking efforts by eliminating the system-wide permissions to alter the
configuration of the computer. Similar security can also be applied to the
Registry for important settings that could allow the behaviors of certain
applications to be modified. (Preventing Regedit.exe from being executed is
a good first step).
To do this safely, you must be certain that you have an Administrator
account (an account that is a member of the Administrators group), and that
you globally apply Full Control for the Administrators group and the SYSTEM
account to the entire file system before restricting the permissions for
other groups. Otherwise, it is possible to remove enough permissions to the
file system to prevent the operating system from even booting or continuing
to operate.
The basic idea is:
1) Clear all file and directory permissions by globally applying (and
replacing existing permissions) <Full Control> to only the SYSTEM account and
Administrators group.
2) Create one or more Non-Administrative Accounts, ex. Kids, that are not
members of the Administrators group, but are members of a single new group,
such as "Restricted Access"
3) Selectively apply to the Restricted Access group, or the individual User
Account (for folders in the profile, such as My Documents), List & Execute
(RX), List (R), Add (RW), Add-Only (W) to the majority of the operating
system and application folders and files, Edit (RWD) without Execute (X)
permissions to document folders for the Account's documents.
If a single directory exists with Change (RWXD) or Full Control for a user,
a knowledgeable user can install new software into such a location and then
execute it, so Execute permissions must be very carefully controlled
throughout the entire file system.
The other suggestions for using application settings to assign a
parental-control password and suppress the System Tray icons are excellent,
but even if applied, will leave many, many other ways for a knowledgeable
person to beat the system. For example, installing another web browser, etc.
Just remember that locking a door keeps honest people honest, but cannot
defeat the determined criminal...
Sometimes not preventing an activity, but auditing its use, is more
successful at determining what problems exist, if any. Think of mouse
traps... They don't prevent access to the cheese, they just attach
consequences. Unless you are a very adept user, your children will
increasingly have more advanced skills than you posess. and if they don't,
their friends will. Do not count entirely on technological solutions, but
work on instilling the right values in your kids, and, if you want my
opinion, keep computers accessible to your kids in common spaces in the house
where they can be observed, not in their bedrooms...
Also, protect your Windows Installation Media. No system is secure unless
access to the Installation Medium is controlled. Any user with a Windows
Setup CD can "reinstall" the operating system and hijack the Administrator
account, thus gaining access to the entire system along with the ability to
do anything they want with it... So if the computer has a Bootable CD-ROM
drive, it is never entirely secure.
Probably more than you wanted to know, but it's all true.
