Anyone here have the token kid who seems to know a little too much about computers?
Or maybe you have someone else in your household who just seems to not know a thing about what they're doing and always breaks things - "Mr F*k fingers" yea, you all know someone out there like that. Maybe you are paranoid, mwah, who cares, so you should be.
What you might want to do, if you haven't done so already, is to create seperate accounts for each person on each machine. The only exception to this is if you are running a server using active directory, then it's done on the server machine alone.
Next comes the account levels and passwords. I personally recommend changing your default Admin accounts name and assigning password or disabling it (it's disabled by default in Vista). Someone can quite easily RD you using Admin and no PW if you've done a default install of XP.
Assign your passwords to help with privacy (this ones entirely your risk, I have 1 account without a password but it can only watch TV and listen to music, nothing else).
Once that's done, choose your level of functionality, ie. Admin or not. I have only 1 Admin account and I rarely use it.
Next (Vista) choose your family settings and what you want your kids to access (Keeping in mind that if you lock the web down it's gonna be "Dad, I need your authorization to access this site" every 10 seconds).
Now we are ready for the messy bit, editing account relative policies (say what?
).
This can be VERY messy if you don't do it right as you CAN lock not only your household out, but yourself as well.
Logon as the admin (make sure of this) and start the Management Console (type "mmc" without quotes in the run command or vista search bar)
Click on file and click add/remove snap-in and choose "Group Policy Object Editor" and click add. It will then ask you what you want to apply it to.
DO NOT LEAVE IT AT THE DEFAULT "LOCAL COMPUTER" AS IT WILL APPLY THE SETTINGS GLOBALLY.
Click browse, and then click the users tab. Select the user you what to assign permissions to and click ok.
Now, before I go on. If you have a few users this way will (not may) take some time so just select "non-administrators" to apply the same setting to anyone not an admin user.
In the cosole tree, you will notice a number of different listings. Have a poke around and choose exactly what you do and don't want to happen. Be sure to read exactly what each item does before changing it. The golden rule here is, if you aint sure what it does, don't apply it to your account, test it on someone elses.
You can lock out things like, deleting browsing history (perfect for porn using suspects without blocking the content), disabling changes to numerous things, disabling installs, disabling right click, removing items from the start menu, denying access to control panel, hiding drives (you can make the Personal folders the only thing they see if you like) and many, many more.
I also recommend disbling command.com, cmd.exe and notepad.exe (to stop the old batch file, although you can lock them down too). This will stop users with some knowledge doing damage.
You may need to input them as follows
%systemroot%\system32\command.com
%systemroot%\system32\cmd.exe
%systemroot%\system32\notepad.exe
the %systemroot% attrib just means the windows directory on the applicable drive (doesn't need to be substituted as it IS how it needs to be entered, but if you're feeling lazy you could use "drive:\windows\system32\file.extension" as it's 2 characters less)
Oh, and don't forget to disable access to MMC (definately make sure your not applying this to your account
)
I would recommend creating a test account and having a stab at it. Just remember to edit the settings from a different account.
If you have any questions feel free to PM me. I may take a little time to respond sometimes as I work all over the place.
I can also help with other things as I AM a qualified IT geek
Lockin' it DOWN! - A guide to restricting those accounts (also applies to XP)
