I am using XP Pro with NTFS and simple file sharing
turned off.

I have several data hierachies to which I wish the GUEST
account to have no access. I wish to have the USERS group
have read access to the same data.

As things stand the GUEST account can traverse the data
and read it also but I can't figure out why. If I use the
effective permissions feaure in the ADVANCED page from
the SECURITY tab in PROPERTIES for GUEST. It correctly
shows no access at all.

Current security settings are
type name permission inherited from apply to
allow administrators full control c:\ This
folder, subfolders and files
allow SYSTEM full control c:\ This
folder, subfolders and files
allow <file creator> full control c:\ This
folder Only
allow CREATOR OWNER full control c:\
Subfolder and files only
allow Users Read & Execute c:\ This
forlder, subfolders and files
allow Users Special(Create files/Write data and
create folders/append data) c:\ This
folder and Subfolders only

So how does GUESt who is a member of GUESTS only and
therefore not a member of USERS get in there?

Cheers,

Chris Perigo

I am assuming this is when Guest is used for local login rather=20
than for network share access.

When logged in locally Guest is a member of Users indirectly.
Users by default contains Authenticated Users and INTERACTIVE.
When logged in locally Guest is both, and hence effectively a=20
Users group member. That effective permissions does not reflect=20
this is to me a bug, but is understandable in that the effective=20
permissions computation does a closure on groups, but the=20
Authenticated Users and INTERACTIVE are not considered=20
groups for this purpose.

Your solution comes is to use an explicit Deny of Full to Guest or=20
Guests. This has the drawback that Deny ACEs are generally held=20
as a last resort since they can tend to complicate things needlessly=20
when there are other way to do something.

Removing INTERACTIVE and Authenticated Users from Users=20
is not an option since Guest will then not be able to log in locally.

--=20
Roger=20

"Chris Perigo" > wrote in message =
...
> I am using XP Pro with NTFS and simple file sharing=20
> turned off.
>=20
> I have several data hierachies to which I wish the GUEST=20
> account to have no access. I wish to have the USERS group=20
> have read access to the same data.
>=20
> As things stand the GUEST account can traverse the data=20
> and read it also but I can't figure out why. If I use the=20
> effective permissions feaure in the ADVANCED page from=20
> the SECURITY tab in PROPERTIES for GUEST. It correctly=20
> shows no access at all.
>=20
> Current security settings are=20
> type name permission inherited from apply to
> allow administrators full control c:\ This=20
> folder, subfolders and files
> allow SYSTEM full control c:\ This=20
> folder, subfolders and files
> allow <file creator> full control c:\ This=20
> folder Only
> allow CREATOR OWNER full control c:\ =20
> Subfolder and files only
> allow Users Read & Execute c:\ This=20
> forlder, subfolders and files
> allow Users Special(Create files/Write data and=20
> create folders/append data) c:\ This=20
> folder and Subfolders only
>=20
> So how does GUESt who is a member of GUESTS only and=20
> therefore not a member of USERS get in there?
>=20
> Cheers,
>=20
> Chris Perigo