Create a very very restrictive account on XP


For our billiards organization we have some board-members who activily work on their computer but have a minimal knowlegde of what they are doing. Especcialy when it comes to spyware and viruses etc. Like today for example Access failed to startup due to a number of installed spyware programs.

How to prevent all this programs to be installed?

Maybe this will not cover all problems so I want to ask if the following is advisible and possible.

What I want is the following:
- An account for himself as administrator in which he can all he do what he wants
- An account for the billiards tasks. When he logs in into this account he gets an environment not harmed by any other accounts/programs. Even his account wont be affected by programs installed as administrator. (programs which should be system-wide like a virus-scanner, i will install for him and make sure it gets system-wide installed). In this account he should not be able to install any program.

Maybe it sounds a little paranoid what I suggest, but it comes always to me to repair his windows environment....

Who is Participating?
trywaredkConnect With a Mentor Commented:
Well -it's not easy to solve your issue. Still forget about the guest an administrator account.

Next time you visit him, tell him that you can't clean his pc, but you might have a solution if you can get the computer home to yourself for about 2-3 days, and let him walk to you to get it back.

:o) I hope his computer will stop working 10 times a day, so he can't use his internet connection, and that he would reconsider his ignorance.
Let them logon only as member of the guest group

Builtin and predefined groups in Windows 2000 Pro

Builtin and predefined groups in Windows XP

Why you should not run your computer as an administrator

Many Regards
Jorgen Malmgren

:o) Your brain is like a parachute. It works best when it's open

Ad-aware Standard Edition is THE award winning, free*, multicomponent adware detection and removal utility:

SpyFerret detects & removes spyware

Bazooka Adware and Spyware Scanner v1.13.01

Automatic check of your browser for parasites, adware and spyware
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Sygate free scanning your security: quick, stealth, trojan, tcp, udp, icmp

One Usage of the HACKYOURSELF scan: TCP Scan (65534 ports),UDP scan (800+ ports), and Netbios Scan 

Shields UP! quickly checks the SECURITY of YOUR computer's connection to the Internet.
Use this free online Trend Housecall scanner to find and clean every known virus/rootkits/backdoors:

Some viruses can't be removed by housecall. If so, use the free Trend Micro system cleaner:

If you get's an ActiveX error, when loading the HouseCall web page:

If you want to secure your one workstation in the future, consider to purchase PC-cillin with builtin firewall:
Getting a personal Firewall

Download the free version of Sygate personal firewall

Download the free version of ZoneAlarm firewall

Comparative reviews of personal firewall software: 

Firewall Product Selector - Choose yourself which one to compare
aperdonAuthor Commented:
Thanx. I guess this is already a lot of materials...

The problem for me is that he is doing some work on his private computer. I can not prevent him doing something strange while it is his computer. What I purely want is when he works for the billiards-stuff he should work in a complete clean environment.

I guess ur comment about guest-account makes quite some sense. Maybe I should advise him to use always that account, unless when he really needs to install something then he should login as administrator. But I really to tell him this very precisely otherwise he wont understand and mess-up again.

      You can first create a user with limited account and then Use the Local Security Policy (Present in Control Panel-->Administrative tools---->Local Security Policy)You must logged on as an Administrator to use it.There you can see tons of options, using them you can restrict the user to the maximum extent.

     You can also make use of third party softwares which will be having a good User Interface and deals with the Windows Registry carefully.Using them you can make the account more limited.If you search you will gey many.

>"Maybe I should advise him to use always that account, unless when he really needs to install something then he should login as administrator. But I really to tell him this very precisely otherwise he wont understand and mess-up again."

Print this one, and tell him about it

Why you should not run your computer as an administrator
Rich RumbleSecurity SamuraiCommented:
Yeah, lot's- ton's of links. As stated above, place his account in the Guests or Users group, they are locked down quite a bit, and he won't be able to install programs. You don't even need to tell him to log in as admin, show him how to use RunAs. Write down how to use it in a text file on his desktop, make sure he can rememeber the password by himself, you don't want that written down. and he cannot lock himslef out of anything if he gets it wrong.
Run as is easier to run with a right-click... highlight the icon of what you want to run, hold down shift, right-click the icon, select RunAs...  Put in username and password for the elivated account.  Don't tell him it's the admin account, just get him fimilar with runas, and it's "magic" That is the best way. If that PC has internet access, he'll REQUIRE Antivirus software, and regular updates/scheduled scans. GL!

aperdonAuthor Commented:
Thanks, these comments really helps a lot.

How can I isolate his account from other (like adminstrator) accounts. When he works for me I want him to use the account (a Guest account) as created by me for him. When he uses the computer for himself he should be not limited in whatever he does, but I will warn him for the nasty problems. I will show him how to use run-as etc. But what he does then should not have any effect on the account I created for him. Only a virus-scanner should be effective in that account too and Access / Outlook Express etc.. So it should be restrictive in 2ways.
- He is not able to perform any (malicious) installation in that account
- The account is completely isolated from other accounts.

The problem is that it is his private computer but I dont want to have any stupid problems when he does some work for me.
Actually you could solve the issue in a more normal way.

Make a security policy (written on a paper in word) to be decided by your organisation:
For security reasons nobody (including the board members) are not allowed to connect a homecomputer to your domain network.

If they needs an administrative computer connected to the domain network, you/they have to purchase a computer to that. And they are not allowed to remove this computer from your organisation.

Ask them to follow your advices about the risks in virus/spyware/trojans/spam/firewall/etc with their homecomputer as well.
aperdonAuthor Commented:
I guess I dont understand ur comment.
He works for me on his computer at his home in his private time connected to the internet by his connection.
He volunteered to do the job. But what he does on his computer not-related to the job should have not any effect on 1. he is able to work and 2. on the files (virus) he sends to us containing the results (MS Access mdb file)
:o) Sorry I guessed that is was a "huge" organisation ("For our billiards organization we have some board-members"), or should I say corporate network.

Back to YOUR issue:

Forget about the administrator and guest account on his computer, if your only problem is that your computer is getting infected ONLY by opening the mdb-file HE emailed to you (is that correctly understood?)

If so there's no wait out of purswading him to follow YOUR advices to protect HIS computer from all the malware. It's in his own interest.

And you have to follow them too.
aperdonAuthor Commented:
Is is both being infected as wel as not-able to work due to his way he's using internet and not willing to change. I cant force him to change, only give him advices. My experience says that he will ignore the advises. So  when ignoring my advices it will end up in me visiting him again, cleaning his PC, install the software again and hope it will work a long time again, and last but not least the results will be delayed for some time... especially now at the end of the season it is far from welcome this delay.
aperdonAuthor Commented:
Ha ha your last comment I will tell him!!
Rich RumbleConnect With a Mentor Security SamuraiCommented:
It seems this user has the mentality of corperate IT managers. It will take a major disaster in order for him to listen, and when that major disaster does occur, he'll get sooo mad at you for NEVER warning him previously!  

I say get him to buy a browser like Opera, or give him Mozilla. These Browsers should help keep various spy-ware adware from getting on his PC.  He'll need AV for sure, and a Firewall like ZA wouldn't hurt either. I recommend McAfee as a AV. Schedule M$ regular updates also
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.