Deny C: drive access to users


I've got a netowrk with 10 systems. All have Win XP Professional and Windows 2003 Enterprise Server. There's a small security constraint that I'd like to enforce on my users that is I want to restrict them access from writing to the C: drive. They should be able to read on C: dirve and write on their Desktop or My Documents. But no where else in C: Drive.

How can I enforce such a constraint on all my systems, do I have to such a setting one by one on each PC or through Group Policy or something.

Please Adivce.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

In addition to My Documents, you also have to allow access to the Pagefile, and possibly other system files.
Yes, there is a policy setting.

in a GPO goto:

User Configuration
         Administrative Templates
                         Windows Components
                                        Windows Explorer.
                                                    Hide these specified drives in My Computer.
                                                    Hide these specified drives in My Computer check box.

This will hide the C drive, be let system software still read files (such as the page file), however some software may need you to login as admin and set user permissions on the drive manually, so that when the user logs in the software can read the files.

Users can still save to my documents, but really I would setup folder redirection, so when they save to my documents its being redirected to their home drive.

hope this helps.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
You can give each user separate accounts and plus create a extended partition to do their work and store data. And plus when they login to their own account, they will not have write permissions automatically to write in the C drive. Or, to be more extra careful, I would give the C drive to ONLY Administrators and SYSTEM Full access and DENY all users....And then having users ONLY to work with their OWN separate drive.
It would be like this when they logon to their OWN account.



So, when they try to access the C Drive, it will give them an error message ACCESS DENIED, but they can still work the separate G Drive to store, bachup, and save all the data...

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.