Solved

XP Security Policies for User Group

Posted on 2004-03-21
5
305 Views
Last Modified: 2013-12-04
This is lengthy but please bear with me.  I have a question for my Windows XP SP1 stand alone computer.  I have noticed that the default permissions for a User Group account include access to: Internet Options and Administrative Tools.  I am new to configuring Group and User Permissions and XP Security.  What is the easiest way to set the Limited/Non-Admin. accounts to limit their access to 4 specific things: registry editing tools (regedit.exe, regedt32.exe), Internet Options, Adminstration Tools, and the Documents and Settings/UserName/Local Settings and Cookies hidden folders?  Specifically, I do not want non-admin. users to be able to view/change/delete IE History, Temp. Internet files and Cookies nor to make changes/view/change permissions to the registry nor to launch adminstrative tool applications including GPEDIT.MSC from the RUN Command line.  I realize that the OS must be able to access the user's profile but I do not want a user to be able to view these files in explorer.  Is it also possible to prevent User Group members from viewing the Security Tab in Properties for all Folders and Applications without hiding the Security Tab for Adminstrators?

If I used a registry key such as:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
[HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000

(this may be an inefficient way or wrong way to do this) do I have to be logged in as "Current User" to set this for a non-admin user?  Would this disable registry edit tools for ALL users? (Admin AND Limited) What is the difference betweeen the Current User and Local Machine registry locations and do both locations need the key in order for the change to take affect?

I'm assuming there is an admin tool or security tab approach to doing the all of the above without having to manually edit the registry but can do it if it is the only way.  Do registry edits need a reboot to take affect?

I'm also aware of the following keys:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSecurityTab"=dword:00000001

and

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Restrictions]
"NoBrowserOptions"=dword:00000000
[HKEY_Local_Machine\Software\Microsoft\Internet Explorer\Restrictions]
"NoBrowserOptions"=dword:00000000


Thanks for your time and any help you can give.
0
Comment
Question by:jgoussy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 4

Accepted Solution

by:
jcoppin earned 500 total points
ID: 10646666
click start
goto run
type in gpedit.msc


Make the changes in here.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10647193
The most easy way, is to make them member of the local guest group, and nothing else.

If they should be able to save files on drive c:, make a share, and grant everyone full control on the share, and then grant write permissions on ntfs.

Builtin and predefined groups in Windows XP
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/lsm_local_groups.asp

Understanding NTFS permissions:
http://www.windowsitlibrary.com/Content/592/1.html

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10647207
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question