User access control capabilities in Windows XP Pro

Q. Do you happen to know of a program that stops users accessing the desktop and files? I am considering buying [Windows] XP Professional and have looked at user security.

Each user can have their own settings and preferences, but you cannot set up a user as the administrator so they only access certain programs and files; e.g., one user account for children, another to play only music. At the moment I am using Windows 98, and I am using a program made by Edmark called Kidsafe, which loads before the desktop appears and allows each user their own desktop, provided by the program (not the Windows desktop, but Kidsafe’s). This is set up by an administrator, who controls what each user can access.

The Mac OS X user accounts allow an administrator to set up accounts so users can only access certain programs and files. Unfortunately, I am a Windows person and am disheartened that Microsoft didn’t give more functionality to user accounts. I like XP’s new desktop interface and it is good that it allows individual users, but I am looking for a program that gives more flexibility to set up accounts by the administrator. Any help would be great.

– Marcus Barnard

A. Well, Marcus, the functionality you’re after is built into Windows XP Professional. Windows XP has extensive user access control capabilities. You can fine-tune what each user can do much more so than with Mac OS X, but the amount of flexibility can also be bewildering.

First, it’s important to realise that the Administrator account is completely without access restrictions. It’s the account used to manage and maintain the system, and therefore the most powerful one (and thus, potentially, the one capable of causing the most damage).

It works in a similar fashion to the ‘root’ account on UNIXes like Mac OS X and, thus, must be handled with care.

Rule number one is: do not run Windows XP under the Administrator account for day-to-day use. Always password protect access to the Administrator account and do not let children use it.

Rule number two is: use the NTFS file system for your hard disk, not FAT32. NTFS is not only much more robust than FAT32, it also provides the necessary Access Control List capabilities for the file system — these are not available in FAT32.

Windows XP comes with several standard user templates, each with separate access rights, such as:

Standard User: member of the Power Users Group — these users can change many system settings and install programs that do not touch Windows system files.

Restricted User: member of the Users Group — these users can log in and use the computer, and save their own documents and data files, but they are not able to install any programs or to change the system settings.

Furthermore, you have:

Administrators: described above, this account type has full control over the computer and other users;

Backup Operator: these users can override file system security settings for backing up and restoring data (but only for that purpose);

Guests: an even more restricted account type than Users;

Network Configuration Operators: users who can manage network configurations (such as changing the dial-up settings);

Remote Desktop Users: an account type for those you wish to allow access to log on to Windows XP from a remote location.

There are other account templates as well, but they are for specialised pur­poses and fall outside the scope of this topic.

All of these accounts can be set up from the User Accounts applet in the Control Panel. You can further fine-tune users’ (and the account templates) access rights and privileges by clicking on the Advanced tab in the User Accounts dialogue, and selecting the Advanced button.

Once you’ve decided on the right account type for your users, you can then, for instance, decide which areas on the file system they can go to, and deny access to others. Simply open up Windows Explorer, and right-click on, for example, a folder to which you wish to restrict, and pick Sharing and Security. In the dialogue that pops up, click on the Security tab, and you can pick who (and which group of users) can have full control (usually Adminstrators and the folder owners only), modify (ditto), read and execute files in the folder, list folder contents, and read and write from and to the folder.

Click the Advanced button, and you get really fine-grained control over the security settings. You can also turn on Auditing of access, change ownership of the folder, etc. It’s all in a relatively simple Allow/Deny tick boxes format, but be careful so you don’t shut yourself out of the folder in question.

By judiciously applying file system privileges for different users, you can accomplish most of the things you describe above. Even if you happen to have the occasional badly-written piece of software (such as older games) that won’t run without Administrator privileges, you can make allowances for this by right-clicking on the program executable (*.exe), and selecting Run As. Then, pick the user (or the Administrator account) that you wish to run the program under. The program then gets all the privileges of that user, so be careful; the best solution here, of course, is not to use poorly-written programs that must be run as Administrator.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Juha Saarinen

PC World
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?