6 PC's in a WORKGROUP - can I block another Administrator from local shares but allow remote (internet) access through the shared line?

There are 6 PC's. All run XP. All are sharing the same one connection to the internet.

4 are "Users" granted permissions to certain folders on the local network.

2 users are Admins.

How can I completely block the other Admin from the local folders,
but still let him access the external internet on his own PC?
(basically so he can screw up his own system with pr0n and warez
but not the others!)?

The big problem is, he owns the laptop, so he MUST be an Admin,
just cannot take those rights away from him, sorry! But I want to
let him get on the external nternet and not mes with the other local
users accounts etc. Since he is in fact an Admin this sounds impossible
to me!

Its just a normal home setup with a dad as admin and his eldest son
also an admin. If you ask me, he should control his son and tell him
he can either have an "User" account and not have any access to
the local folders OR stop messing about! Thats AN answer but maybe
you can block another Admin?  problem is, he could block you the
same way if he found out how so its really very silly! Hence 500 points.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

you are describing the main reason networks move to a domain
In a Workgroup setting all administration is done locally. So by it s very nature the local admin has complete rights to network user access to files the local system. You sound like a candidate for centralization. Set up one system as file server. Have all files required by everyone located on that system. create Username/Pasword for all user on the file server.
When setting up shares and users on a workgroup the Authentication information must be manually maintained locally.

Grant the proper access to critical files.

The fileserver does several things for you. It gives you a central location for backup and restore. It supplies your users with one set of files instead of 6 copies. Nesw users and password only need to be duplicated on the single system
If your troubled admin crashes his system he can rebuild and your files are safe.
The downside is you must keep critical files off his system and the file server has to be on when files are needed.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
EE33Author Commented:
I think I understand it... one PC has all the
user accounts (Active Directory?) and in this
case - no matter what the other users are,
(Admins or not) only the one domain controller
(the main one with the 6 accounts in Active
Directory) can say whether that admin can
access this domain? In fact it does not make
ANY difference what he is does it?! As long as
I set the permissions, he has no access to this,
but does have access to the line outside, because
after all, he just has to install a modem and know
the username to log onto the internet - thats not
Active Directory though and that can have its own

I will have to give you the points, I never even thought
of the simplicity of it, Active Directory of course!
Before we go futher
You stated you were in a Workgroup
With additional information and feedback, I to believe you have a domain and AD setup. If that is the case ignore the first post. A Workgroup is by definition lacking a Domain Controler.

The two types of networks are WorkGroup and Domain.As I stated the user authorization is handled by the local machine. So the local system would need a user/password entered to authorize access. in a Domain the Controller handles the authorization and grants premission to network resources. With a DC added to the mix, the local machines become network resources.
At the same time the can still contain local premissions

So if you have a DC, make the trouble spot a simple user and grant permissions as needed. He can maintain a local profile on lhis personal system as admin but as soon as he logs onto a different system he becomes a simple user and no longer has admin permissions. These permission can also extend to not allowing him to log onto any system but his own.

So in short with a Domain you have all sorts af administrtive possibilties. and you are right at the cusp of where i would start think of a simple domian (5)

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.