Windows 7 User Account Restrictions Help

[Jalke]

Pretty simple. I created a second user account for my PC. I'm trying to allow it full access & free modifying rights to its desktop, & external drives. No looking through anywhere else on the computer, but able to use shortcuts on the desktop to run programs, along with generating new video files, copying files from another drive... complete editing freedom on the desktop.



Online suggested Gpedit.msc which I used to restrict access to the C drive whilst allowing use of any desktop items. But this just screwed my other account that could no longer access the C drive, & I couldn't copy / edit items on the Second User's desktop anyway.

I was trying to Properties -> Security -> Allow/Disallow aspect, but when I ticked one box, it forced all the other boxes to follow/untick. Made no sense.



Can someone help me out please?

 

[ussnorway]

I recommend you formate the hdd and start again... after making any backups needed

 

[Jalke]

What? Why?

Edit: Removed the gpedit.msc's restriction so I can still access the C drive. I simply meant it wasn't a viable option because it becomes a nuisance.

 

[Neemobeer]

Using local group policy is going to restrict access for everyone. You would need enterprise level group policy to do this. Why not just make the second user a standard account. That way that can't do much on the C drive and already have full access to their profile.

 

[Jalke]

It's more of a "restrict nosiness" & "only allow one or two applications to run".

So what you're saying is, with my current windows built, I can't achieve this?

 

[Neemobeer]

Not easily no. If you don't want them looking through the C: drive,

• Right click on the C: drive > properties > Security.
• Add the second user account, un-check all the allows and select Deny for "List folder content" (they could still see the content if they are proficient with the command prompt, but other wise they cant browse the C: drive)

 

[Jalke]

I tried that - but I hit "Deny" on "List Folder Content", but then it deselects EVERYTHING on allow. So I Can't seem to allow anything.

In addition - if I hit one box on the "Allow" side, it sets them all to allow. What's up with that?

 

[ussnorway]

the list is top heavy i.e, sellecting allow on a box covers all below it... be VERY careful with deny.
why does this second account need to be locked out of the c drive?

 

[BIGBEARJEDI]

unless you have Win7 Pro, Business, or Enterprise version of Win7 GP policy won't work as you are attempting to do. So if you have any other Win7 version such as Starter, Basic, or Home; you simply can't do it. Period. You should take our suggestions above to restrict C: drive browsing by another user on your computer by limiting their Account-Type to Standard or Guest as mentioned.

It turns out that you can buy programs that will accomplish this in the low-end versions of Win7; but they are pretty expensive. In the olden day of XP; you can use something called STEADY STATE from Microsoft and it was availble only with a TechNet annual subscription which most companies paid $600 to $1200 per year for. I don't know if this app suite is available for Win7 low-end editions or not, but it's a lot of work to setup, and requires expert level windows programming skills. If you work in an IT shop or for a Microsoft Partner or Distributor you might be able to find out if this program is still available for Win7 as I mention and get some help making it work if you do get a copy. I spent over 100 hrs. making it work on a couple of XP computers at my local senior center to keep the oldsters from continuously scrambling their 2 PCs. Methods we mention to you above are FREE and a lot less work.

Good luck to you,
<<<BIGBEARJEDI>>>

 

[Neemobeer]

Deep Freeze does the same as steady state and you can get single licenses for about $50.

 

[Jalke]

unless you have Win7 Pro, Business, or Enterprise version of Win7

Turns out I have Windows 7 Professional

 

[Jalke]

the list is top heavy i.e, sellecting allow on a box covers all below it... be VERY careful with deny.
why does this second account need to be locked out of the c drive?

I'm letting a younger sibling use the PC to do work, & thus barring any distractions that my Completely-Filled-Up-With-Games-And-Porn PC my bring.

Not easily no. If you don't want them looking through the C: drive,

• Right click on the C: drive > properties > Security.
• Add the second user account, un-check all the allows and select Deny for "List folder content" (they could still see the content if they are proficient with the command prompt, but other wise they cant browse the C: drive)

Yes, just confirming one last time (also noting that I have Win7-Pro if it provides an easier solution), after selecting the User in C -> Properties -> Security tab [user being:: WorkUser (JALKE\WorkUser)] it warns me that I'm about to change permissions on the root directory of the startup disk, which could result in unexpected access problems & the reduction of security. I'm sure it's fine as I'm doing this to a secondary Standard Account as opposed to the Primary Account, but just in case - there's not going to be some paradoxical event that'll force me to re-format the Drive again, right? This is safe?

 

[Neemobeer]

Yes it will work fine, what you are doing is layered permissions. From the Users group applied the other user should still maintain Read & Execute so the user will function and Deny "List folder contents" from the user specific ACL you are applying.

 

[BIGBEARJEDI]

Deep Freeze does the same as steady state and you can get single licenses for about $50.

>>>Thanks, Neemo! That's the one I couldn't think of. I know people using this in their companies and it works fine.<<<
BBJ

 

[Jalke]

Not easily no. If you don't want them looking through the C: drive,

• Right click on the C: drive > properties > Security.
• Add the second user account, un-check all the allows and select Deny for "List folder content" (they could still see the content if they are proficient with the command prompt, but other wise they cant browse the C: drive)

The problem with this, is that it directly conflicts with my previously stated criteria, as follows:

I'm trying to allow it full access & free modifying rights to its desktop

As for Steady State / Deep Freeze, I don't possess expert level windows programming skills (or so I don't believe), so it looks like I'll have to give this a pass.

 

[ussnorway]

while their desktop is on the c drive its also inside their username account folder... in any event, perhaps you should consider a multiboot option?

the idea is to add a second hdd to the machine and install windows on this drive as a "stand alone" system that does not interface with the 1st (i.e, your) hdd... once you set it up, the worse thing that can happen from your sibling is that he buggers that 2nd hdd and you can always format and start agian.

 

[Jalke]

A really silly point, but I don't like multibooting. Do you think I could relocate the 2nd UserAccount to my E drive or something? So when it uses that user, its desktop is separate from the C drive?

 

[ussnorway]

ime the honest answer is no... Microsoft makes systems by the million and when you step outside the norm Windows will be buggered up unless you really know what you are doing the c drive is where your system needs to stay.

 

[Neemobeer]

Manipulating the ACLs on the C drive would work. The user could still save to the desktop. All "List content" does it prevents the user from navigating to the directory in explorer. Read access would still be intact due to the Users group.