Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Create a very very restrictive account on XP

Posted on 2004-04-02
20
Medium Priority
?
352 Views
Last Modified: 2013-12-04
Hi,

For our billiards organization we have some board-members who activily work on their computer but have a minimal knowlegde of what they are doing. Especcialy when it comes to spyware and viruses etc. Like today for example Access failed to startup due to a number of installed spyware programs.

How to prevent all this programs to be installed?

Maybe this will not cover all problems so I want to ask if the following is advisible and possible.

What I want is the following:
- An account for himself as administrator in which he can all he do what he wants
- An account for the billiards tasks. When he logs in into this account he gets an environment not harmed by any other accounts/programs. Even his account wont be affected by programs installed as administrator. (programs which should be system-wide like a virus-scanner, i will install for him and make sure it gets system-wide installed). In this account he should not be able to install any program.

Maybe it sounds a little paranoid what I suggest, but it comes always to me to repair his windows environment....

Thanx,
Alexander.
0
Comment
Question by:aperdon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 5
  • 2
  • +1
20 Comments
 
LVL 12

Expert Comment

by:trywaredk
ID: 10739403
Let them logon only as member of the guest group

Builtin and predefined groups in Windows 2000 Pro
http://www.microsoft.com/windows2000/en/professional/help/default.asp?url=/windows2000/en/professional/help/windows_security_default_settings.htm

Builtin and predefined groups in Windows XP
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/lsm_local_groups.asp

Why you should not run your computer as an administrator
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/windows_security_whynot_admin.htm

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10739407
Spybot:
http://security.kolla.de/index.php

Ad-aware Standard Edition is THE award winning, free*, multicomponent adware detection and removal utility:
http://www.lavasoft.de/software/adaware/

SpyFerret detects & removes spyware
http://www.onlinepcfix.com/spyware/spyware.htm

Bazooka Adware and Spyware Scanner v1.13.01
http://www.kephyr.com/spywarescanner/

Automatic check of your browser for parasites, adware and spyware
http://www.doxdesk.com/parasite/
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10739409
Sygate free scanning your security: quick, stealth, trojan, tcp, udp, icmp
http://scan.sygatetech.com/

One Usage of the HACKYOURSELF scan: TCP Scan (65534 ports),UDP scan (800+ ports), and Netbios Scan
http://www.hackerwhacker.com/ 

Shields UP! quickly checks the SECURITY of YOUR computer's connection to the Internet.
https://grc.com/x/ne.dll?bh0bkyd2
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
LVL 12

Expert Comment

by:trywaredk
ID: 10739412
Use this free online Trend Housecall scanner to find and clean every known virus/rootkits/backdoors:
http://housecall.trendmicro.com/housecall/start_corp.asp

Some viruses can't be removed by housecall. If so, use the free Trend Micro system cleaner:
http://www.trendmicro.com/download/tsc.asp

If you get's an ActiveX error, when loading the HouseCall web page:
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=4317

If you want to secure your one workstation in the future, consider to purchase PC-cillin with builtin firewall:
http://www.trendmicro.com/en/products/desktop/pc-cillin/evaluate/overview.htm
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10739414
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10739416
Getting a personal Firewall
http://www.zensecurity.co.uk/default.asp?URL=personal

Download the free version of Sygate personal firewall
http://smb.sygate.com/support/documents/spf/default.htm
http://smb.sygate.com/download/download.php?pid=spf

Download the free version of ZoneAlarm firewall
http://www.zonelabs.com/store/content/company/zap_za_grid.jsp?lid=ho_za

Comparative reviews of personal firewall software:
http://www.firewallguide.com/software.htm 

Firewall Product Selector - Choose yourself which one to compare
http://www.spirit.com/cgi-new/report.pl?dbase=fw&function=view
0
 
LVL 1

Author Comment

by:aperdon
ID: 10739529
Thanx. I guess this is already a lot of materials...

The problem for me is that he is doing some work on his private computer. I can not prevent him doing something strange while it is his computer. What I purely want is when he works for the billiards-stuff he should work in a complete clean environment.

I guess ur comment about guest-account makes quite some sense. Maybe I should advise him to use always that account, unless when he really needs to install something then he should login as administrator. But I really to tell him this very precisely otherwise he wont understand and mess-up again.
0
 
LVL 4

Expert Comment

by:venishjoe
ID: 10740065
Hai,

      You can first create a user with limited account and then Use the Local Security Policy (Present in Control Panel-->Administrative tools---->Local Security Policy)You must logged on as an Administrator to use it.There you can see tons of options, using them you can restrict the user to the maximum extent.

     You can also make use of third party softwares which will be having a good User Interface and deals with the Windows Registry carefully.Using them you can make the account more limited.If you search you will gey many.


Regards
Venish.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10740675
>"Maybe I should advise him to use always that account, unless when he really needs to install something then he should login as administrator. But I really to tell him this very precisely otherwise he wont understand and mess-up again."

Print this one, and tell him about it

Why you should not run your computer as an administrator
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/windows_security_whynot_admin.htm
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10740816
Yeah, lot's- ton's of links. As stated above, place his account in the Guests or Users group, they are locked down quite a bit, and he won't be able to install programs. You don't even need to tell him to log in as admin, show him how to use RunAs. Write down how to use it in a text file on his desktop, make sure he can rememeber the password by himself, you don't want that written down. and he cannot lock himslef out of anything if he gets it wrong. http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/AD_runas.asp
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/windows_security_whynot_admin.htm
Run as is easier to run with a right-click... highlight the icon of what you want to run, hold down shift, right-click the icon, select RunAs...  Put in username and password for the elivated account.  Don't tell him it's the admin account, just get him fimilar with runas, and it's "magic" That is the best way. If that PC has internet access, he'll REQUIRE Antivirus software, and regular updates/scheduled scans. GL!
-rich

0
 
LVL 1

Author Comment

by:aperdon
ID: 10773606
Thanks, these comments really helps a lot.

How can I isolate his account from other (like adminstrator) accounts. When he works for me I want him to use the account (a Guest account) as created by me for him. When he uses the computer for himself he should be not limited in whatever he does, but I will warn him for the nasty problems. I will show him how to use run-as etc. But what he does then should not have any effect on the account I created for him. Only a virus-scanner should be effective in that account too and Access / Outlook Express etc.. So it should be restrictive in 2ways.
- He is not able to perform any (malicious) installation in that account
- The account is completely isolated from other accounts.

The problem is that it is his private computer but I dont want to have any stupid problems when he does some work for me.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10781802
Actually you could solve the issue in a more normal way.

Make a security policy (written on a paper in word) to be decided by your organisation:
For security reasons nobody (including the board members) are not allowed to connect a homecomputer to your domain network.

If they needs an administrative computer connected to the domain network, you/they have to purchase a computer to that. And they are not allowed to remove this computer from your organisation.

Ask them to follow your advices about the risks in virus/spyware/trojans/spam/firewall/etc with their homecomputer as well.
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html
0
 
LVL 1

Author Comment

by:aperdon
ID: 10782003
I guess I dont understand ur comment.
He works for me on his computer at his home in his private time connected to the internet by his connection.
He volunteered to do the job. But what he does on his computer not-related to the job should have not any effect on 1. he is able to work and 2. on the files (virus) he sends to us containing the results (MS Access mdb file)
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10782042
:o) Sorry I guessed that is was a "huge" organisation ("For our billiards organization we have some board-members"), or should I say corporate network.

Back to YOUR issue:

Forget about the administrator and guest account on his computer, if your only problem is that your computer is getting infected ONLY by opening the mdb-file HE emailed to you (is that correctly understood?)

If so there's no wait out of purswading him to follow YOUR advices to protect HIS computer from all the malware. It's in his own interest.

And you have to follow them too.
0
 
LVL 1

Author Comment

by:aperdon
ID: 10782100
Is is both being infected as wel as not-able to work due to his way he's using internet and not willing to change. I cant force him to change, only give him advices. My experience says that he will ignore the advises. So  when ignoring my advices it will end up in me visiting him again, cleaning his PC, install the software again and hope it will work a long time again, and last but not least the results will be delayed for some time... especially now at the end of the season it is far from welcome this delay.
0
 
LVL 12

Accepted Solution

by:
trywaredk earned 200 total points
ID: 10782198
Well -it's not easy to solve your issue. Still forget about the guest an administrator account.

Next time you visit him, tell him that you can't clean his pc, but you might have a solution if you can get the computer home to yourself for about 2-3 days, and let him walk to you to get it back.

:o) I hope his computer will stop working 10 times a day, so he can't use his internet connection, and that he would reconsider his ignorance.
0
 
LVL 1

Author Comment

by:aperdon
ID: 10782324
Ha ha your last comment I will tell him!!
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 200 total points
ID: 10783260
It seems this user has the mentality of corperate IT managers. It will take a major disaster in order for him to listen, and when that major disaster does occur, he'll get sooo mad at you for NEVER warning him previously!  

I say get him to buy a browser like Opera, or give him Mozilla. These Browsers should help keep various spy-ware adware from getting on his PC.  He'll need AV for sure, and a Firewall like ZA wouldn't hurt either. I recommend McAfee as a AV. Schedule M$ regular updates also
-rich
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question