Denying file system browse permissions to Guest user account

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Is it possible to lock down the Guest user account such that it cannot access
and browse the file system or a specific drive on XP Professional?
 
David said:
Is it possible to lock down the Guest user account such that it cannot
access and browse the file system or a specific drive on XP Professional?
Click to expand...

Certainly. The Guest account is normally disabled anyway. Do this in Control
Panel>User Accounts. The Guest account is not meant for when you are
feeling hospitable. It is a system account that allows a user without an
account on the system to sit down at the local machine, log on, and do a
few things. It runs with elevated privileges and is therefore a security
risk. That's why it is disabled by default in most operating systems.

If you want an account for friends and relatives, make a new account called
something like "Visitors". Then lock down the account as desired. How you
do this depends on the version of XP you have.

XP Pro - Group Policy Editor - Start>Run>gpedit.msc (be careful with this)
Also user groups/permissions if you have Pro.

Otherwise, MVP Doug Knox's Security Console or the MS Shared Computer
Toolkit:

http://www.dougknox.com
http://www.microsoft.com/windowsxp/sharedaccess/default.mspx

Malke
 
Thanks Malke. That's exactly what I was looking for. That Group Policy
Editor is pretty well hidden.

Thanks for the education on the Guest account as well since that was my
intended use.
 
David said:
Thanks Malke. That's exactly what I was looking for. That Group Policy
Editor is pretty well hidden.

Thanks for the education on the Guest account as well since that was my
intended use.
Click to expand...

You're most welcome. Be careful using the Group Policy Editor. It is
completely possible to lock *yourself* out. Here's the newsgroup for gpedit
if you have questions about it:

microsoft.public.windows.group_policy

Thanks for taking the time to let me know this worked for you.

Malke
 
Any user needs at least read/list permissions to try and access a folder. If
the drive is not the system drive that contains the operating system then
you can easily deny them access to that whole drive by not giving them any
permissions either by explicit user account or by group membership. The
guest account is not a member of authenticated users which is one reason
many specify authenticated users in access control lists instead of
everyone/users. You can also give a specific user/group deny permissions to
folder though I generally recommend that you rely on no permissions instead
due to complexities of NTFS file inheritance that can allow a user with deny
permissions to access folders/files that the admin though they could not
access. The link below explains more on configuring NTFS permissions if you
need that info. -- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;308418
 
Back
Top