6 PC's in a WORKGROUP - can I block another Administrator from local shares but allow remote (internet) access through the shared line?

Posted on 2006-03-23
Last Modified: 2013-12-23
There are 6 PC's. All run XP. All are sharing the same one connection to the internet.

4 are "Users" granted permissions to certain folders on the local network.

2 users are Admins.

How can I completely block the other Admin from the local folders,
but still let him access the external internet on his own PC?
(basically so he can screw up his own system with pr0n and warez
but not the others!)?

The big problem is, he owns the laptop, so he MUST be an Admin,
just cannot take those rights away from him, sorry! But I want to
let him get on the external nternet and not mes with the other local
users accounts etc. Since he is in fact an Admin this sounds impossible
to me!

Its just a normal home setup with a dad as admin and his eldest son
also an admin. If you ask me, he should control his son and tell him
he can either have an "User" account and not have any access to
the local folders OR stop messing about! Thats AN answer but maybe
you can block another Admin?  problem is, he could block you the
same way if he found out how so its really very silly! Hence 500 points.
Question by:EE33
    LVL 9

    Expert Comment

    you are describing the main reason networks move to a domain
    LVL 9

    Accepted Solution

    In a Workgroup setting all administration is done locally. So by it s very nature the local admin has complete rights to network user access to files the local system. You sound like a candidate for centralization. Set up one system as file server. Have all files required by everyone located on that system. create Username/Pasword for all user on the file server.
    When setting up shares and users on a workgroup the Authentication information must be manually maintained locally.

    Grant the proper access to critical files.

    The fileserver does several things for you. It gives you a central location for backup and restore. It supplies your users with one set of files instead of 6 copies. Nesw users and password only need to be duplicated on the single system
    If your troubled admin crashes his system he can rebuild and your files are safe.
    The downside is you must keep critical files off his system and the file server has to be on when files are needed.
    LVL 3

    Author Comment

    I think I understand it... one PC has all the
    user accounts (Active Directory?) and in this
    case - no matter what the other users are,
    (Admins or not) only the one domain controller
    (the main one with the 6 accounts in Active
    Directory) can say whether that admin can
    access this domain? In fact it does not make
    ANY difference what he is does it?! As long as
    I set the permissions, he has no access to this,
    but does have access to the line outside, because
    after all, he just has to install a modem and know
    the username to log onto the internet - thats not
    Active Directory though and that can have its own

    I will have to give you the points, I never even thought
    of the simplicity of it, Active Directory of course!
    LVL 9

    Expert Comment

    Before we go futher
    You stated you were in a Workgroup
    With additional information and feedback, I to believe you have a domain and AD setup. If that is the case ignore the first post. A Workgroup is by definition lacking a Domain Controler.

    The two types of networks are WorkGroup and Domain.As I stated the user authorization is handled by the local machine. So the local system would need a user/password entered to authorize access. in a Domain the Controller handles the authorization and grants premission to network resources. With a DC added to the mix, the local machines become network resources.
    At the same time the can still contain local premissions

    So if you have a DC, make the trouble spot a simple user and grant permissions as needed. He can maintain a local profile on lhis personal system as admin but as soon as he logs onto a different system he becomes a simple user and no longer has admin permissions. These permission can also extend to not allowing him to log onto any system but his own.

    So in short with a Domain you have all sorts af administrtive possibilties. and you are right at the cusp of where i would start think of a simple domian (5)


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
    A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now