jgoussy
asked on
XP Security Policies for User Group
This is lengthy but please bear with me. I have a question for my Windows XP SP1 stand alone computer. I have noticed that the default permissions for a User Group account include access to: Internet Options and Administrative Tools. I am new to configuring Group and User Permissions and XP Security. What is the easiest way to set the Limited/Non-Admin. accounts to limit their access to 4 specific things: registry editing tools (regedit.exe, regedt32.exe), Internet Options, Adminstration Tools, and the Documents and Settings/UserName/Local Settings and Cookies hidden folders? Specifically, I do not want non-admin. users to be able to view/change/delete IE History, Temp. Internet files and Cookies nor to make changes/view/change permissions to the registry nor to launch adminstrative tool applications including GPEDIT.MSC from the RUN Command line. I realize that the OS must be able to access the user's profile but I do not want a user to be able to view these files in explorer. Is it also possible to prevent User Group members from viewing the Security Tab in Properties for all Folders and Applications without hiding the Security Tab for Adminstrators?
If I used a registry key such as:
[HKEY_CURRENT_USER\Softwar
"DisableRegistryTools"=dwo
[HKEY_Local_Machine\Softwa
"DisableRegistryTools"=dwo
(this may be an inefficient way or wrong way to do this) do I have to be logged in as "Current User" to set this for a non-admin user? Would this disable registry edit tools for ALL users? (Admin AND Limited) What is the difference betweeen the Current User and Local Machine registry locations and do both locations need the key in order for the change to take affect?
I'm assuming there is an admin tool or security tab approach to doing the all of the above without having to manually edit the registry but can do it if it is the only way. Do registry edits need a reboot to take affect?
I'm also aware of the following keys:
[HKEY_CURRENT_USER\Softwar
"NoSecurityTab"=dword:0000
and
[HKEY_CURRENT_USER\Softwar
"NoBrowserOptions"=dword:0
[HKEY_Local_Machine\Softwa
"NoBrowserOptions"=dword:0
Thanks for your time and any help you can give.
If I used a registry key such as:
[HKEY_CURRENT_USER\Softwar
"DisableRegistryTools"=dwo
[HKEY_Local_Machine\Softwa
"DisableRegistryTools"=dwo
(this may be an inefficient way or wrong way to do this) do I have to be logged in as "Current User" to set this for a non-admin user? Would this disable registry edit tools for ALL users? (Admin AND Limited) What is the difference betweeen the Current User and Local Machine registry locations and do both locations need the key in order for the change to take affect?
I'm assuming there is an admin tool or security tab approach to doing the all of the above without having to manually edit the registry but can do it if it is the only way. Do registry edits need a reboot to take affect?
I'm also aware of the following keys:
[HKEY_CURRENT_USER\Softwar
"NoSecurityTab"=dword:0000
and
[HKEY_CURRENT_USER\Softwar
"NoBrowserOptions"=dword:0
[HKEY_Local_Machine\Softwa
"NoBrowserOptions"=dword:0
Thanks for your time and any help you can give.
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Why you should not run your computer as an administrator
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/windows_security_whynot_admin.htm
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/windows_security_whynot_admin.htm
OS Security
Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.
22K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
If they should be able to save files on drive c:, make a share, and grant everyone full control on the share, and then grant write permissions on ntfs.
Builtin and predefined groups in Windows XP
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/lsm_local_groups.asp
Understanding NTFS permissions:
http://www.windowsitlibrary.com/Content/592/1.html
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Your brain is like a parachute. It works best when it's open