User access control capabilities in Windows XP Pro

Q. Do you happen to know of a program that stops users accessing the desktop and files? I am considering buying [Windows] XP Professional and have looked at user security.

Each user can have their own settings and preferences, but you cannot set up a user as the administrator so they only access certain programs and files; e.g., one user account for children, another to play only music. At the moment I am using Windows 98, and I am using a program made by Edmark called Kidsafe, which loads before the desktop appears and allows each user their own desktop, provided by the program (not the Windows desktop, but Kidsafe’s). This is set up by an administrator, who controls what each user can access.

The Mac OS X user accounts allow an administrator to set up accounts so users can only access certain programs and files. Unfortunately, I am a Windows person and am disheartened that Microsoft didn’t give more functionality to user accounts. I like XP’s new desktop interface and it is good that it allows individual users, but I am looking for a program that gives more flexibility to set up accounts by the administrator. Any help would be great.

– Marcus Barnard

A. Well, Marcus, the functionality you’re after is built into Windows XP Professional. Windows XP has extensive user access control capabilities. You can fine-tune what each user can do much more so than with Mac OS X, but the amount of flexibility can also be bewildering.

First, it’s important to realise that the Administrator account is completely without access restrictions. It’s the account used to manage and maintain the system, and therefore the most powerful one (and thus, potentially, the one capable of causing the most damage).

It works in a similar fashion to the ‘root’ account on UNIXes like Mac OS X and, thus, must be handled with care.

Rule number one is: do not run Windows XP under the Administrator account for day-to-day use. Always password protect access to the Administrator account and do not let children use it.

Rule number two is: use the NTFS file system for your hard disk, not FAT32. NTFS is not only much more robust than FAT32, it also provides the necessary Access Control List capabilities for the file system — these are not available in FAT32.

Windows XP comes with several standard user templates, each with separate access rights, such as:

Standard User: member of the Power Users Group — these users can change many system settings and install programs that do not touch Windows system files.

Restricted User: member of the Users Group — these users can log in and use the computer, and save their own documents and data files, but they are not able to install any programs or to change the system settings.

Furthermore, you have:

Administrators: described above, this account type has full control over the computer and other users;

Backup Operator: these users can override file system security settings for backing up and restoring data (but only for that purpose);

Guests: an even more restricted account type than Users;

Network Configuration Operators: users who can manage network configurations (such as changing the dial-up settings);

Remote Desktop Users: an account type for those you wish to allow access to log on to Windows XP from a remote location.

There are other account templates as well, but they are for specialised pur­poses and fall outside the scope of this topic.

All of these accounts can be set up from the User Accounts applet in the Control Panel. You can further fine-tune users’ (and the account templates) access rights and privileges by clicking on the Advanced tab in the User Accounts dialogue, and selecting the Advanced button.

Once you’ve decided on the right account type for your users, you can then, for instance, decide which areas on the file system they can go to, and deny access to others. Simply open up Windows Explorer, and right-click on, for example, a folder to which you wish to restrict, and pick Sharing and Security. In the dialogue that pops up, click on the Security tab, and you can pick who (and which group of users) can have full control (usually Adminstrators and the folder owners only), modify (ditto), read and execute files in the folder, list folder contents, and read and write from and to the folder.

Click the Advanced button, and you get really fine-grained control over the security settings. You can also turn on Auditing of access, change ownership of the folder, etc. It’s all in a relatively simple Allow/Deny tick boxes format, but be careful so you don’t shut yourself out of the folder in question.

By judiciously applying file system privileges for different users, you can accomplish most of the things you describe above. Even if you happen to have the occasional badly-written piece of software (such as older games) that won’t run without Administrator privileges, you can make allowances for this by right-clicking on the program executable (*.exe), and selecting Run As. Then, pick the user (or the Administrator account) that you wish to run the program under. The program then gets all the privileges of that user, so be careful; the best solution here, of course, is not to use poorly-written programs that must be run as Administrator.