Limiting user rights.

Is there any way that I can set up an account of some type on my XPpro
machine so that my son cannot delete any files, icons, change settings,
but still be able to access programs that I can nominate and create
files from those programs, and create text files from outside of those
programs?

He's 3, and I wouldn't mind letting him stuff around on my computer, if
I knew that he couldn't stuff something up. The other option is to cram
a crowbar in the wallet and set one up for him. The only problem with
that is having to fix the problems on that computer, although they'd
probably be not life-shattering problems I suppose...

Richard McKeown wrote:

Is there any way that I can set up an account of some type on my XPpro
machine so that my son cannot delete any files, icons, change settings,
but still be able to access programs that I can nominate and create
files from those programs, and create text files from outside of those
programs?

He's 3, and I wouldn't mind letting him stuff around on my computer, if
I knew that he couldn't stuff something up. The other option is to cram
a crowbar in the wallet and set one up for him. The only problem with
that is having to fix the problems on that computer, although they'd
probably be not life-shattering problems I suppose...

In the BIOS screens, enable a password. That means no one boots your
computer without the password. That means the kid can't use your
computer without you being there to set it up for him. Be sure to
padlock the case (there's usually a tang through which you can insert a
tiny padlock - and don't use those cheapies for luggage since a
screwdriver and pliers works to open those). That's to prevent him from
getting inside (a place you never want him to get, anyway) to reset the
BIOS to eliminiate the password requirement. Each time the computer
powers up, the user is asked for a password. Without it, no operating
system gets booted.

Then use something like ShadowSurfer (the pro version is called
ShadowUser). When in Windows, you enable ShadowSurfer mode and then
reboot your host. When Windows is next loaded, it is in this
ShadowSurfer mode. You (or the kid) can delete files, modify them,
install programs (if you let the kid have admin or power user rights,
not a smart idea), or even get infected. You can totally hose over your
files and OS. When you reboot, your partition is returned to the same
state it was before you entered ShadowSurfer mode. That is, whatever
you did in ShadowSurfer mode is all gone and you have your OS back to
its prior state. This does require rebooting (because kernel-mode
drivers are required to redirect all changes to a virtual disk rather
than apply them to your real disk). This type of software is often used
in kiosks because despite all precautions there may be hackers that
manage to figure out how to screw up the OS or you want to let them make
changes, then reboot and it's all back the way it was. Schools use
this, too, so a scheduled reboot in the early morning returns their
hosts back to a known state for use the next morning for classes.

ShadowSurfer is just one example of this type of software. It was free
for awhile but not anymore (cost is $30; see
http://www.storagecraft.com/products/ShadowSurfer/). There are other
products that do a similar function. Microsoft has their SteadyState
(http://www.microsoft.com/protect/pro...eadystate.mspx) but
it's seems more geared to expert admins. I found it harder to
understand and setup but then I didn't have much time to give it a fair
trial. It's free. An advantage of SteadyState is that you can choose
to retain any changes you make while in shadow mode. That way, you
could test new but unknown software and decide to get rid of it
completely (return to the prior disk state) or retain your changes
(update your real disk). To do that in ShadowSurfer, you have to
upgrade to the more expensive ShadowUser. Other similar products that
I've heard of but not used are BufferZone ($40) and ReturnNil
(http://www.returnilvirtualsystem.com...spersonal.htm;
free/crippled version). If you get recommendation for other similar
programs, make sure they aren't old and dead programs (several have been
abandoned).

Read the help for these programs. Some only protect the partition for
the operating system (drive C and not any other drives. So a 2nd
drive, like D:, where you store your data could still wind up having
files deleted or modified. That might be what you want because you
could trial a program, save documents you create with them, and then
decide to get rid of the program but still want to retain your
documents. That's why you are still expected to perform regular
backups. If you don't backup your data, you deem your data as worthless
or reproducible.

So you add a BIOS password that is required to even start loading
Windows. You create a limited account for the kid. When you want to
pass control to the kid, enable the shadow mode and reboot. The kid
logs in. Whatever the kid manages to do will disappear when you reboot.
Note that because a reboot will restore back the prior state that any
installations that require a reboot to complete will disappear, too.

Richard McKeown wrote:

Is there any way that I can set up an account of some type on my XPpro
machine so that my son cannot delete any files, icons, change settings,
but still be able to access programs that I can nominate and create
files from those programs, and create text files from outside of those
programs?

He's 3, and I wouldn't mind letting him stuff around on my computer, if
I knew that he couldn't stuff something up. The other option is to cram
a crowbar in the wallet and set one up for him. The only problem with
that is having to fix the problems on that computer, although they'd
probably be not life-shattering problems I suppose...

A 3-year-old is much too young to be allowed on your computer unsupervised.
I have some funny stories about things my own children did on my machines
when they were little. Well, they are funny *now*!

Most certainly you should create a limited account for him, too. Since you
have XP Pro, you can use Group Policy to set restrictions (gpedit.msc). Be
very careful using the Group Policy editor; it is completely possible to
lock yourself out. Questions about group policy should be posted he

microsoft.public.windows.group_policy

Or you can use Microsoft's SteadyState:

http://www.microsoft.com/windowsxp/s...s/default.mspx
More on SteadyState: http://aumha.net/viewtopic.php?t=27570
SteadyState support -
http://forums.microsoft.com/WindowsT...1660&SiteID=69

If you are serious about allowing your child - and he could be a perfect
angel but he *is* only 3! - to play on your computer unsupervised, buy an
external hard drive and Acronis True Image and image your system regularly.
That way when he hoses your computer by banging on the wrong keys you'll be
able to get back up and running quickly. Actually, regular imaging is a
Good Thing even if there are no children around!

Malke
--
MS-MVP
Elephant Boy Computers - Don't Panic!
FAQ - http://www.elephantboycomputers.com/#FAQ

"Richard McKeown" wrote:

Is there any way that I can set up an account of some type on my XPpro
machine so that my son cannot delete any files, icons, change settings,
but still be able to access programs that I can nominate and create
files from those programs, and create text files from outside of those
programs?

He's 3, and I wouldn't mind letting him stuff around on my computer, if
I knew that he couldn't stuff something up. The other option is to cram
a crowbar in the wallet and set one up for him. The only problem with
that is having to fix the problems on that computer, although they'd
probably be not life-shattering problems I suppose...

Create an account in the group Users - not a Power Users.
If this is not restrictive enough, try the built-in Guest account.
--
Newell White

Newell White wrote:

Create an account in the group Users - not a Power Users.
If this is not restrictive enough, try the built-in Guest account.

The built-in Guest account should not be enabled. The Guest account is a
special system account. It is disabled by default in Windows XP, Vista,
Linux, Unix, and OS X for a reason.

From TechNet:

"The Guest account is intended for users who require temporary access to the
system. However, if this account is enabled, a security risk may exist
because an unauthorized user could gain anonymous access to the system
through this account."

http://technet.microsoft.com/en-us/l...chNet.10).aspx

Malke
--
MS-MVP
Elephant Boy Computers - Don't Panic!
FAQ - http://www.elephantboycomputers.com/#FAQ

"Malke" wrote:


The built-in Guest account should not be enabled. The Guest account is a
special system account. It is disabled by default in Windows XP, Vista,
Linux, Unix, and OS X for a reason.

From TechNet:

"The Guest account is intended for users who require temporary access to the
system. However, if this account is enabled, a security risk may exist
because an unauthorized user could gain anonymous access to the system
through this account."

http://technet.microsoft.com/en-us/l...chNet.10).aspx

Malke
--
MS-MVP
Elephant Boy Computers - Don't Panic!
FAQ - http://www.elephantboycomputers.com/#FAQ


You are probably right - depends on physical access.
When I worked at home my 4-year old had great fun with MS Paint on a Win95
machine that was not hooked up to my (then) state-of-the-art 56k modem!

--
Regards,
Newell White

"Richard McKeown" wrote:

Is there any way that I can set up an account of some type on my XPpro
machine so that my son cannot delete any files, icons, change settings,
but still be able to access programs that I can nominate and create
files from those programs, and create text files from outside of those
programs?

He's 3, and I wouldn't mind letting him stuff around on my computer, if
I knew that he couldn't stuff something up. The other option is to cram
a crowbar in the wallet and set one up for him. The only problem with
that is having to fix the problems on that computer, although they'd
probably be not life-shattering problems I suppose...

Having read Malke's comment, I now recommend plan B.
But need not be expensive - here in the UK you can get a Win98 PC and CRT
monitor second hand for £50 max ($95 US).

MS Paint is about all a 3-year old can handle, but they can soon graduate to
minesweeper, solitaire, and eventually notepad!
Don't provide internet or LAN access, and have fun!

--
Regards,
Newell White

Richard wrote on Wed, 01 Oct 2008 23:02:09 +1300:

Is there any way that I can set up an account of some type on my XPpro
machine so that my son cannot delete any files, icons, change settings,
but still be able to access programs that I can nominate and create files
from those programs, and create text files from outside of those programs?

He's 3, and I wouldn't mind letting him stuff around on my computer, if
I knew that he couldn't stuff something up. The other option is to
cram a crowbar in the wallet and set one up for him. The only problem
with that is having to fix the problems on that computer, although
they'd probably be not life-shattering problems I suppose...

My 3 year old has a Limited User account on the kid's PC (my 9 year old has
a Limited User account too), and so far so good - I have to install anything
as the only admin user, but it's enough that the kids can't delete much
except files they've created, they can create icons on the desktop, and they
can access the net when I let them (combination of FSS and router access
rules, and keeping a close on them when they're on the computer). This PC
hasn't needed a rebuild since I installed everything a year ago, so I rate
that as a success. I wouldn't let him on my own PC though, that's just
asking for trouble.

--
Dan