How to give access to shared folder but nothing else in W2K domain for non-domain users/computers.

What is the best solution to this problem:
An office with several companies which share a network printer and Internet access.  One of the companies - Company A - keeps its data separate from the others by running a Windows 2000 Server domain with one server and several member computers.  The computers in the other companies are in separate workgroups and they do not have user names or passwords for the domain or the domain computers.  The server runs Windows 2000 Server and the workstations run Windows 2000 Pro or Windows XP Pro and Home.  All of the computers are on the same network segment/subnet.  

Company A needs to share one folder on their domain server so that the people in the other companies can access it from their computers.  However, this is all the access/privilidges they should have.  They should not be able to access any other shared folders on the server, and they should not be able to log onto any of the computers in the domain.  They should be required to enter a password when they connect to the shared folder.  

Will the Guest account or Anonymous access give them more privilidges than they need?  Is it possible to create an account which they can use and lock down the account so they can't do anything else with it?  

Thanks very much.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kevin HaysIT AnalystCommented:
I would stay away from the guest account or even using anonymous access for the shared folder.  Basically I would use a locked down account such as a "user" only.  Since they are on a workgroup they will have to authenticate a little different than if they were on a domain.  If you can get the login prompt to come up when the workgroup users try to access the shared folder then they can just use the locked down account to authenticate and get to the share.

It's so much easier if they are all on a domain though :)

efieldAuthor Commented:
What would the locked down user account look like?  What are the minimum privilidges it would need to access the shared folder?  It would only need read-only permissions in the folder.
It really depends on how you use security on the other resources in the domain.

I am going to assume that your file share exists on an NTFS file system.  Assuming it does, you can use the permissions tab on the folder properties and give the user account read permissions while giving other users modify or full controll (I never give users full controll, they always try to take admin / backup agent permissions away).

Watch out though, if you have other shares and or resources that use the Everyone or Authenticated User permissions to provide access, this new account will also have rights to them.

I also believe that this new account could query your Active Directory and lookup user / printer information etc., for example, if you keep phone numbers, title info etc. in your AD, the user account by default could read that info, it's likely not a big deal, but is accessible.

I sugest you expermiment with it in your environment.

Hope this helps, Dave

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
you can access this by piping to the share and then when it asks for a username and password use an account that is a domain user account.   The pc doesn't have to be part of the domain at all to access a share.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.