Encryption versus Permission 3

[mraetrudeaujr]

I have a situation where I need to let my family use the computer as 'Admins'; but if they need to use the computer with me still being logged in, I want them to have to 'log' me off. (No, I'm not worried about them exploring while I'm still the logged-in user.) However, when they log in I don't want them to be able to look at any files or folders that I created (that belong to me and the Windows created --- 'My Documents' folder). Is this possible, even with allowing them to keep their "Admin" priveleges? I think that I need to disable "Fast User Switching" and encrypt the folder by using the 'EFS' portion of Windows. If I encrypt the 'My Documents' folder, will this apply only to my 'My Documents' folder only? Though I'm sure they wouldn't explore the Windows XP settings, I will also need to prevent them from figuring out how to 'enable' "Fast User Switching". Any suggestions would be very helpful, thank you.

Al

 

[pcdoc4christ]

Mr. Aetrueau:

Disabling fast user switching is easy; just follow these steps:

(1) Click Start then click Control Panel
(2) On the left column of the Control Panel, click "Switch to classic view"
(3) Double click User Accounts
(4) In the User Accounts window, click "Change the way users log on or off"
(5) Remove the checkmark from the checkbox next to "Use fast user switching"
(6) Click Apply Options
(7) Close the User Accounts window, & you're done!

=============================

As for keeping other users with Administrator accounts from viewing your encrypted files, as far as i know, it cannot be done. Any administrator is able to change the attributes (including removing the encryption) from any file.

Hence, your easiest solution is to use the User Accounts applet to change all the Administrator accounts (except your own, of course) to Limited User accounts. These users, however, will then not have the ability to do some things (such as install some software, or change the power saving options, etc.) That would mean that they would have to ask you to do these things for them.

In your case, a better, but more difficult to implement, solution may be to give the others Power User accounts. As Power Users they would be able to do nearly everything *but* undo the security measures you, as the only administrator, have set up. For example, they could encrypt files, but you would be able to remove the encryption. They could decrypt documents that they own, but they could not decrypt your encrypted documents. In effect, they would have all the power you have except the power to overpower you (unless, of course, they discovered your password). You would be master of the PC.



Power users would still be able to enable fast user switching, so a good habit for you would be to just log off before you walk away from the computer. Another option would be to put the PC into standby mode, which requires a person enter an administrator's password or restart it.

If you want some help in setting up Power User accounts, let me know.

Regards,
Doc


======================================

"Freely you have received, freely give." --Jesus

pcdoc4christ@yahoo.com

 

[mraetrudeaujr]

Thanks pcdoc4christ!

Yes, I would like to get some more information on the details of setting up the user accounts as 'POWERUSERS'. I thought that you only had two choices in 'Windows XP Home' (Admin or User).

Feel free to put this in detail, as I know my way around XP very well (I am a very experienced Windows XP user).

Oh, by the way…I noticed that you weren’t afraid to avow your submission to Christ. This thread came out because my friend (a Christian Minister) asked me if I knew how to secure his home computer in the manner stated in my initial post for this thread! How appropriate that this reply came from a fellow Christian! Thanks for your help.

Al

 

[linney]

With Encryption the fact that someone is an Administrator may not mean they can access encrypted files it is more to do with which user has been set up as a Recovery Agent for recovering encrypted files, who encrypted the files in the first place, and whether he enabled them to be shared by other users.

As you are talking about XP Home then you should be aware that Home is a watered down version of Pro and does not have any encryption facilities other than what you might install using third party programs.

These links might help you improve Home a little.

If you have a NTFS partition try these links to beef up Home to something more configurable that you may be able to use to block access.

http://www.dougknox.com/xp/utils/xp_securityconsole.htm

http://www.dougknox.com/xp/tips/xp_home_sectab.htm

307881 - HOW TO: Convert a FAT16 or FAT32 Volume to NTFS in Windows XP

http://support.microsoft.com/default.aspx?scid=kb;en-us;307881&FR=1&PA=1&SD=HSCH

 

[LloydSev]

XP Home does indeed not have a Power Users group. Power Users is only included in the Pro version of XP.

You can simulate this, but it has it's side effects.

Fast User Switching will not enable them to be able to log into your account (as you are still required to enter a password to get back in via fast user switching).

Computer/Network Technician
CCNA

 

[mraetrudeaujr]

Thanks Linney!

I was beginning to think that maybe this topic had been beat to death and that is why I only received one reply
(...though I did try a search on this specific forum first...very few results!).

Yes I know that Pro is different from Home, but unfortunately most of the XP machines that are deployed in 'home' environments (store-bought PC's) come with the "Home" version. I encourage users to specifically request the PRO version, but most times they are talked out of it by the sales person (and then use that savings for a 'thumb drive'). Still, I will follow up on these links and see where it takes me.

In my home I use Windows XP Pro while the family is using Windows XP Home. I have them on 'Home' for purposes of a client calling up with a problem and I find that it is specific to the Windows XP Home version.

Al

 

[linney]

As an aside to this post -

"I have them on 'Home' for purposes of a client calling up with a problem and I find that it is specific to the Windows XP Home version."

You could fork out for Microsoft's "Virtual PC 2004" and then install every operating system under the Sun (Hard Drive space taken into consideration), and run them all from the one PC from within PRO.

 

[mraetrudeaujr]

Linney,

This is an intriguing setup. Could you explain it a little further, and/or give me a couple of links that would give me some information on this "Virtual PC" setup? Thanks.

Al

 

[linney]

Virtual PC when installed on PRO runs completely from within PRO as a self contained program into which you are able to install any number of Guest operating systems such as XP Home, 2000, 98. ME, Linux etc. etc. With minor restrictions (such as no CD burning) these operating systems run as if they were installed on their own hard drive. There is complete separation between the Host operating system and the Guests, although networking between the two is available including file sharing etc.

Better details here.

Microsoft Virtual PC 2004

http://www.microsoft.com/windows/virtualpc/default.mspx

Virtual PC
thread779-818502

http://www.google.com/search?source...GLD:en&q=site:www.robertmoir.co.uk+virtual+pc

 

[Pleonasm]

Mraetrudeaujr, it appears to me that the simplest solution might be to utilize a third-party file encryption program, as was previously suggested.

One no-cost option is PGP freeware (

http://www.pgp.com/downloads/freeware).

For a more comprehensive (and easier to use) solution, see SecretAgent (

http://www.infoseccorp.com/products/secretagent/sa57win.htm).

I use SecretAgent on my own home PC to automatically encrypt all files in selected folders upon logout. I highly recommend the product.