Bmistiaen 2012-04-02 08:42:55
I have a PC with 3 partitions: C,D,E.
OS = Win2K Pro
As administrator, I kan browse and execute anything I want.
There’s also another user and I’d like to restrict his
browsing to the D partition only, so that he can’t access C and E.
How can I do that?
I’ve already tried to set the security settings
of the C-drive, but that did not lead to the desired result.
The user could indeed not browse the C: anymore,
but at the same time the startup of the PC gave errors
and certain programs like Excel, who are on the C drive,
cannot be run by that user anymore.
Does anyone have any idea how to restrict browsing to D: only
while startup remains error-free and all programs can still be run?
Ida wanna 2012-04-02 08:43:08
What are you keeping on C that could not be kept on E? Then he can be
blocked from E and the OS and apps on C can be opened up for use. Is he a
problem user that likes to browse around deleting stuff to “clean”? Maybe
security isn’t the answer. Maybe a baseball bat or a pink slip is. 😉
Bmistiaen 2012-04-11 14:08:57
The C: drive contains only the Operating System and the installed programs.
But I don’t want anyone to be able to mess that up, so I’d like to
restrict access to that also.
How can this be done?
(while startup remains error-free and all programs can still be run)
Russs 2012-04-11 14:09:04
I suggest that if you have startup errors then you have set something
incorrectly. How did you set them up?
Bmistiaen 2012-04-11 14:09:18
The way I’ve set it up now is that only the permission
“List Folder” is not allowed on the C root for that user.
Now it starts up correctly, but he cannot start excel, word, ….
Steven l umbac 2012-04-11 14:09:23
Users must have list/read/execute permissions in order to run
applications and the operating system, so you can not restrict browse
ability to the whole c drive. You should not change ntfs permissions on the
Winnt system folder or its subfolders [hence your problems] – permissions
there are already restricted to regular users. On the root/drive folder for
drive c you should remove the everyone group and replace it with
authenticated users for list/read/execute. If you have specific “installed”
applications or data folders on any drive that you want to block access to
you can remove users from ntfs permissions or give specific users/group deny
permissions. You could completely deny access to drive e if it does not
include needed applications for users by removing the unwanted users from
the root folder and all subfolders [everyone group, users] be careful with
deny permissions as the administrator is a member of the everyone and users
groups. You can use local group policy [gpedit.msc] to restict users from
using explorer, etc to view drives and file info, but on a local machine the
policy will apply equally to ALL users unless you use an unsupported hack
such as putting deny permissions on the \winnt\system32\grouppolicy\users
folder for exempted users. — Steve
Beoweolf 2012-04-11 14:09:51
The question I didn’t see asked is …”What permissions does the user have?”
Is he/she a member of the admin group, operators group, backup
operators….or a regular user?
A combination of NTFS permissions, Folder shares and either publish or
assigning applications through group policies will allow the user access to
anything that he is authorized to use. As mentioned, if a regular user is
tip-toeing through system files or applications folders on your “C” drive,
then you have configured something wrong.
Bmistiaen 2012-04-18 17:44:27
The user is a member of the “Users” group,
so it’s a regular user.
Russs 2012-04-18 17:46:08
Do like I do – make a new group ‘B***** Nuisance Users” and then restrict
that group as necessary 🙂