Giving Limited Users a Little More Authority/Permission?

[BillJohnson4]

Microsoft Gurus:

I have Windows XP with Service Pack 2, Internet Explorer Version 6.

I created a limited user called "Bill" (Start -> Settings -> Control
Panel -> User Accounts).

Unfortunately, it is too limited.

I would like for "Bill" to be able to:

1. change his IE6 home page to a local file, e.g., file://C:/index.htm,

2. change his IE6 security settings (Tools -> Internet Options ->
Advanced tab -> Security section) to "allow active content to run in
files on My Computer".

He can go through the motions of doing both, receives no error
messages, but his changes do not take.

How can I start with a limited user and selectively add one
permission/authority at a time?

Thanks.

 

[Guest]

hi,
i think that you can give BILLmore permission when you creat it ,
then restrict it using Local Security policy from run>mmc>add>local security
policy>user configuration>administrative templates>windows
components>internet explorer.
you can also change alot of security things

regards,

 

[cquirke (MVP Windows shell/user)]

I have Windows XP with Service Pack 2, Internet Explorer Version 6.

I created a limited user called "Bill" (Start -> Settings -> Control
Panel -> User Accounts).
Unfortunately, it is too limited.

I would like for "Bill" to be able to:

1. change his IE6 home page to a local file, e.g., file://C:/index.htm,

Better to choose a less obvious file name and store it somewhere other
than the omnipresent C:\, I would say.

2. change his IE6 security settings (Tools -> Internet Options ->
Advanced tab -> Security section) to "allow active content to run in
files on My Computer".

That's quite a wide-ranging change, and I would look for something
finer-grained - e.g. if you could sign the active content you want to
run and then set that (and only that) up to be trusted.

In the old days, the "My Computer" zone was left wide open; anything
that got material onto the system would then be able to bounce around
without further limitations. By design, MS accepts scripts within
cookies, for example, so delivery isn't a problem, though getting the
material to run for tyhe first time may be.

These (post-SP2) days, the trend has been to paradoxically harden "My
Computer" even beyond Intranet Zone, so we are starting to see
retrograde escalation e.g. malware that attempts to work locally by
approaching the PC via its own network shares.

If you think about it, it makes sense - for many if not most of us,
the only scripts we may want to run are those in web pages. Once
these pages are stored locally, most of the web site links are broken
and they have no use - at least, no use we would want.

Before MS got this clue, some of us had already been doing what we
could to kill scripting where we were not using it; renaming away the
WSH and .HTA engines, disabling Active Desktop and View As Web Page,
etc. and using .BAT files (security via unfashionability?) instead.

He can go through the motions of doing both, receives no error
messages, but his changes do not take.

How can I start with a limited user and selectively add one
permission/authority at a time?

XP Home, most likely no can do. XP Pro, prolly involves Group Policy
Editor or similar tools, but that's outside my scope ;-)

---------- ----- ---- --- -- - - - -

Gone to bloggery: http://cquirke.blogspot.com