User access control capabilities in Windows XP Pro

Q. Do you happen to know of a program that stops users accessing the desktop and files? I am considering buying [Windows] XP Professional and have looked at user security.

Each user can have their own settings and preferences, but you cannot set up a user as the administrator so they only access certain programs and files; e.g., one user account for children, another to play only music. At the moment I am using Windows 98, and I am using a program made by Edmark called Kidsafe, which loads before the desktop appears and allows each user their own desktop, provided by the program (not the Windows desktop, but Kidsafe’s). This is set up by an administrator, who controls what each user can access.

The Mac OS X user accounts allow an administrator to set up accounts so users can only access certain programs and files. Unfortunately, I am a Windows person and am disheartened that Microsoft didn’t give more functionality to user accounts. I like XP’s new desktop interface and it is good that it allows individual users, but I am looking for a program that gives more flexibility to set up accounts by the administrator. Any help would be great.

– Marcus Barnard

A. Well, Marcus, the functionality you’re after is built into Windows XP Professional. Windows XP has extensive user access control capabilities. You can fine-tune what each user can do much more so than with Mac OS X, but the amount of flexibility can also be bewildering.

First, it’s important to realise that the Administrator account is completely without access restrictions. It’s the account used to manage and maintain the system, and therefore the most powerful one (and thus, potentially, the one capable of causing the most damage).

It works in a similar fashion to the ‘root’ account on UNIXes like Mac OS X and, thus, must be handled with care.

Rule number one is: do not run Windows XP under the Administrator account for day-to-day use. Always password protect access to the Administrator account and do not let children use it.

Rule number two is: use the NTFS file system for your hard disk, not FAT32. NTFS is not only much more robust than FAT32, it also provides the necessary Access Control List capabilities for the file system — these are not available in FAT32.

Windows XP comes with several standard user templates, each with separate access rights, such as:

Standard User: member of the Power Users Group — these users can change many system settings and install programs that do not touch Windows system files.

Restricted User: member of the Users Group — these users can log in and use the computer, and save their own documents and data files, but they are not able to install any programs or to change the system settings.

Furthermore, you have:

Administrators: described above, this account type has full control over the computer and other users;

Backup Operator: these users can override file system security settings for backing up and restoring data (but only for that purpose);

Guests: an even more restricted account type than Users;

Network Configuration Operators: users who can manage network configurations (such as changing the dial-up settings);

Remote Desktop Users: an account type for those you wish to allow access to log on to Windows XP from a remote location.

There are other account templates as well, but they are for specialised pur­poses and fall outside the scope of this topic.

All of these accounts can be set up from the User Accounts applet in the Control Panel. You can further fine-tune users’ (and the account templates) access rights and privileges by clicking on the Advanced tab in the User Accounts dialogue, and selecting the Advanced button.

Once you’ve decided on the right account type for your users, you can then, for instance, decide which areas on the file system they can go to, and deny access to others. Simply open up Windows Explorer, and right-click on, for example, a folder to which you wish to restrict, and pick Sharing and Security. In the dialogue that pops up, click on the Security tab, and you can pick who (and which group of users) can have full control (usually Adminstrators and the folder owners only), modify (ditto), read and execute files in the folder, list folder contents, and read and write from and to the folder.

Click the Advanced button, and you get really fine-grained control over the security settings. You can also turn on Auditing of access, change ownership of the folder, etc. It’s all in a relatively simple Allow/Deny tick boxes format, but be careful so you don’t shut yourself out of the folder in question.

By judiciously applying file system privileges for different users, you can accomplish most of the things you describe above. Even if you happen to have the occasional badly-written piece of software (such as older games) that won’t run without Administrator privileges, you can make allowances for this by right-clicking on the program executable (*.exe), and selecting Run As. Then, pick the user (or the Administrator account) that you wish to run the program under. The program then gets all the privileges of that user, so be careful; the best solution here, of course, is not to use poorly-written programs that must be run as Administrator.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Juha Saarinen

PC World
Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Family Friendly

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Stocking Stuffer

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?