Account security, XP Home SP3

xXaNaXx

Gawd
Joined
May 15, 2003
Messages
954
i'm in the process of re-imaging my sister's computer because it got swiss-cheesed with viruses/trojans/rootkits, etc. I'd rather not have to do this again, so i want to impose some restrictions on her computer.

she has all kinds of friends over all the time using her computer, so i'd like a way to make it so that anyone on the computer would have to enter a password before being allowed to install anything, but without giving them access to the administrator account. i want her to be able to install things when she wants to, but disallowing anyone else from being able to install anything.

is this possible at all?

she's on a WinXP Home SP3 system, and i'm not "upgrading" (really, "downgrading") her to Vista.....i can't stand that POS.
 
i'm in the process of re-imaging my sister's computer because it got swiss-cheesed with viruses/trojans/rootkits, etc. I'd rather not have to do this again, so i want to impose some restrictions on her computer.

she has all kinds of friends over all the time using her computer, so i'd like a way to make it so that anyone on the computer would have to enter a password before being allowed to install anything, but without giving them access to the administrator account. i want her to be able to install things when she wants to, but disallowing anyone else from being able to install anything.

is this possible at all?

she's on a WinXP Home SP3 system, and i'm not "upgrading" (really, "downgrading") her to Vista.....i can't stand that POS.

Okay, well lets stop the Vista bashing. It's really fucking old.

Now, here's your best bet for locking down Vista.

Setup everything up as Admin. Create a limited user. Give her Admin password. Make her use limited user.

UAC will prompt for admin rights to install anything (just like every other OS). If not already, put her begind a NAT router, Install Avira Antiviri for Antivirus and Leave Windows Firewall up just in case, and most importantly, leave Vista alone. let it do its thing
 
Yeah, you can enable the guess account in the computer manager. Make sure under user accounts, that you disable fast user switching but leave the welcome screen on, which will bring up that window when you log into XP, so her friends can click on 'Guest' account and log in with no password. They can use the Internet, that's about it. They don't need to be installing anything. Give your sister a limited account and password protect the administrator account. If she ever wants to download and install anything, show her how to right click -> run as, then select the administrator account, and it will let her install the program. She just needs to type in the password. If in the event she has to do system maintenance or account maintenance, she can just log in under the admin account. The limited account will also help block stuff from being installed.

AND FOR THE LOVE OF YOUR FAMILY, TELL HER NOT TO CLICK ON THE BLINKING BANNERS THAT SAY YOU HAVE VIRUSES!

Explain to her what AV/Spyware products you installed, and to ONLY trust those. I like Avira and Avast for experienced users, but I've found AVG has very good tools to setup scanning schedules and update schedules that work under limited account, for your mom/sister/grandparents systems. Yes, it's slightly more bloated but it's usability is worth it considering they just check email, play solitaire, click around on the Internet etc... I would suggest disabling the email scanner though to help save resources since most people use online email, then right click and say ignore component state, that way it takes away the warning icon. It also has a link scanner which shows them what links are safe and what are not (useful for non-experienced users) and it has dynamic scanning which of course is common.

Set up AVG to scan every day but move the slider to left for low priority, so it doesn't interrupt her while she's working. Set it to automatically update every day.
 
Use Guest accounts, consider installing Windows SteadyState on it as well - that would basically negate whatever the hell anyone could possibly try to do to fuck the machine up when it's in use (like DeepFreeze works, same principle, but a Microsoft free product).
 
Use Guest accounts, consider installing Windows SteadyState on it as well - that would basically negate whatever the hell anyone could possibly try to do to fuck the machine up when it's in use (like DeepFreeze works, same principle, but a Microsoft free product).
Which would include his sisters work, and explaining how to use Steady State to a non-experienced user, is probably like trying to get the Devil to buy baby Jesus a Christmas present.
 
Actually, it doesn't work that way, so you might wish to spend more time learning about SteadyState. :)

"Steady State needs to be installed and configured under a standard user account (one with administrator privileges). When you fire it up, you’ll see that it’s split into two areas: Global Computer Settings and User Settings. Most of the action will take place in the latter. To begin then, click ‘Add a new user’ (you can add as many as you like, each with their own set of restrictions). Simply go through the usual routine of choosing a name, icon and password (this is optional)."

The Admin account sets it up (the owner of the machine, the girl in question) and then creates accounts that will be restricted and locked down by SteadyState. When those accounts are in use, nobody is going to wreck the machine, period.

The problem with the OP's original situation is that it's a practical impossibility: Guest accounts cannot install software, period, so the idea of adding a password to allow for such things is meaningless. Either the sister (who's machine it is) or the brother (who appears to be her tech support) will have to manage what gets installed and when - giving any user the ability to install stuff, even if the "give 'em a password" scenario was a reality - defeats the entire purpose of keeping the machine solid and locked down.
 
OK, I'll give you credit Joe, you got me this time. What I am remembering from when I did my Steady State research was that you had to unlock the account, makes changes, then relock it. I was not remembering about having a admin account that was not locked. But still, having to unlock an account, make changes, then re lock it may be too many steps for an extremely casual user. The Guest/Limited account where you simply click a button and log in, might be a tad easier. Steady State is a great free product though that does have a lot of good uses.
 
d3c1us, I guess you didn't notice this is XP we're talking about.

Why don't you just create a limited "mandatory account" for guests to use? No changes made are saved at log-off.
Set HER account to kick on the screensaver after a few minutes, and on resume, set it to display the logon screen so if she walks away, someone else can't use her account.

Or switch the computer to some flavor of *nix, and no-one will KNOW how to install anything :D!

Better yet....remove the hard drive, and make them use a live-cd! ROFL!
 
OK. That mandatory account thing is interesting. So, you create a copy of a profile in a folder. Mark that folder as read only. Then you create a new user, point that user to the read only profile information. Then no changes are saved when the specified user logs in out.
 
Okay, well lets stop the Vista bashing. It's really fucking old.
QFT on that. I usually have patience to deal with crap like that, but gosh darndit, it's about ran its way right smooth clean out.


Setup everything up as Admin. Create a limited user. Give her Admin password. Make her use limited user.

And this quote above is really the only "correct", easy, and built-in method to do this. Of course, it is not XP though.



On XP, the best way to do this is teach the principle that the Guests need to use a different account. Period.
Like others have said, the Guest account is probably the easiest way to do this on XP.

SteadyState is IMO too complicated for this. It's great for demo machines and the like, but for a "production" machine with a full time user, it'd be a PITA. I can't get any of my users to comprehend "local" versus "remote" concept, much less something like this.
 
Back
Top