remove internet access from one profile

[Guest]

Hi - my neice has kind of an internet addiction (especially with IM and
myspace) and this has led her into some other serious problems that we are
addressing. For now, I need to be able to create a profile for her that has
absolutely no access to the internet. Once she has been through some
counseling, we'll probably want to let her back on again but with additional
secuirity - I guess like netnanny. So my question for now is how can I
create or remove access to a program for a specific profile. I've tried to
do this through Set Program Access and Defaults - but when I add or remove it
seems to do it for the other accounts also. Also- does it need to be a
limited profile so that she can't make changes on her own. If it's possible,
I do want her to be able to access files and pictures she has saved on my
profile.

 

[Steven L Umbach]

Assuming she does not have administrator or power user access [which will
need to be an absolute must] to the computer nor knows how to gain
administrator access you can configure a bogus proxy server for her user
profile by logging on as her and going to Internet Explorer tools/internet
options/connections - lan settings and setting a the proxy server to be
127.0.0.1. Now if she can access that setting she can uncheck it though you
can disable it for all users on the computer by adding the following
registry key if you are familiar with editing the registry.

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control
Panel\ConnectionsTab: 0x00000001

There is also a free Shared Computer Toolkit that Microsoft provides that
you can install on your computer that will do a great job locking down a
user account including stopping most changes to the user profile if you do
not want to mess with the registry and it is available at the link below and
requires that you are using Service Pack 2. I highly recommend it and it is
fairly easy to configure.

http://www.microsoft.com/windowsxp/sharedaccess/default.mspx

Now the bogus proxy will only prevent internet access via Internet Explorer.
To stop the use of Instant Messenger you will need to find the executable
for it which should be shown in the properties of the shortcut and give her
user account full control deny permissions to it. The link below explains
how to manage NTFS permissions assuming you are using the NTFS file system.
You can restrict a non administrator user's access to any folder or file on
the computer this way and should also do it for any other application she is
using to access the internet. There is also a software firewall called
PortsLock that is reasonably priced that can have different firewall rules
for each user on the computer that you may want to check out.

http://support.microsoft.com/default.aspx?scid=kb;en-us;308418 --- NTFS
permissions
http://support.microsoft.com/?ID=307874 --- for XP Pro only on disabling
simple file sharing.
http://www.portslock.com/ --- PortsLock

After you make changes logon as her user account and make sure that the
restrictions are in effect and she can do what she needs to do. Also make
sure that you have hard to guess passwords for all user accounts and in
particular administrator accounts. In XP Home the built in administrator
account is only available in Safe Mode and by default has a blank password!
Another thing to do would be for you as an administrator to disable the
network adapter when she is on the computer. As a non administrator she will
not be able to start it again. Go to Control Panel/network connections and
right click your network adapter and select disable. Then when it is needed
again you or another administrator can enable it again.

Having said all the above it is possible for any user who has full physical
access to a computer to become administrator of it if they have the skills.
So beware of that and often check that the password for the built in
administrator account has not been changed as that is the prime target. Also
periodically check the membership of the power users and administrators
group to make sure it is what you expect. You can take steps to make it much
harder for a user to become administrator such as configuring the computer
cmos settings that you can often access by holding down delete or F2 when
the computer starts and making sure that the computer can only boot from the
system hard drive and not a floppy, cdrom, etc., setting a password to
access cmos settings [don't forget it], and somehow locking the case to
prevent access to the inside so that a user can reset cmos settings.

Hopefully this will get you started.

Steve

 

[Guest]

Steven - thanks so much - I'm going to check into all of these options. I
like the toolkit idea because my nephew will also start using our computer
this fall for an online college class - seems like it might keep things in
good order too. This is the first time i've used newsgroups. If I have any
follow up questions relating to this issue, should I just add an additional
link to this one - or start a new thread?

Assuming she does not have administrator or power user access [which will
need to be an absolute must] to the computer nor knows how to gain
administrator access you can configure a bogus proxy server for her user
profile by logging on as her and going to Internet Explorer tools/internet
options/connections - lan settings and setting a the proxy server to be
127.0.0.1. Now if she can access that setting she can uncheck it though you
can disable it for all users on the computer by adding the following
registry key if you are familiar with editing the registry.

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control
Panel\ConnectionsTab: 0x00000001

There is also a free Shared Computer Toolkit that Microsoft provides that
you can install on your computer that will do a great job locking down a
user account including stopping most changes to the user profile if you do
not want to mess with the registry and it is available at the link below and
requires that you are using Service Pack 2. I highly recommend it and it is
fairly easy to configure.

http://www.microsoft.com/windowsxp/sharedaccess/default.mspx

Now the bogus proxy will only prevent internet access via Internet Explorer.
To stop the use of Instant Messenger you will need to find the executable
for it which should be shown in the properties of the shortcut and give her
user account full control deny permissions to it. The link below explains
how to manage NTFS permissions assuming you are using the NTFS file system.
You can restrict a non administrator user's access to any folder or file on
the computer this way and should also do it for any other application she is
using to access the internet. There is also a software firewall called
PortsLock that is reasonably priced that can have different firewall rules
for each user on the computer that you may want to check out.

http://support.microsoft.com/default.aspx?scid=kb;en-us;308418 --- NTFS
permissions
http://support.microsoft.com/?ID=307874 --- for XP Pro only on disabling
simple file sharing.
http://www.portslock.com/ --- PortsLock

After you make changes logon as her user account and make sure that the
restrictions are in effect and she can do what she needs to do. Also make
sure that you have hard to guess passwords for all user accounts and in
particular administrator accounts. In XP Home the built in administrator
account is only available in Safe Mode and by default has a blank password!
Another thing to do would be for you as an administrator to disable the
network adapter when she is on the computer. As a non administrator she will
not be able to start it again. Go to Control Panel/network connections and
right click your network adapter and select disable. Then when it is needed
again you or another administrator can enable it again.

Having said all the above it is possible for any user who has full physical
access to a computer to become administrator of it if they have the skills.
So beware of that and often check that the password for the built in
administrator account has not been changed as that is the prime target. Also
periodically check the membership of the power users and administrators
group to make sure it is what you expect. You can take steps to make it much
harder for a user to become administrator such as configuring the computer
cmos settings that you can often access by holding down delete or F2 when
the computer starts and making sure that the computer can only boot from the
system hard drive and not a floppy, cdrom, etc., setting a password to
access cmos settings [don't forget it], and somehow locking the case to
prevent access to the inside so that a user can reset cmos settings.

Hopefully this will get you started.

Steve

Hi - my neice has kind of an internet addiction (especially with IM and
myspace) and this has led her into some other serious problems that we are
addressing. For now, I need to be able to create a profile for her that
has
absolutely no access to the internet. Once she has been through some
counseling, we'll probably want to let her back on again but with
additional
secuirity - I guess like netnanny. So my question for now is how can I
create or remove access to a program for a specific profile. I've tried
to
do this through Set Program Access and Defaults - but when I add or remove
it
seems to do it for the other accounts also. Also- does it need to be a
limited profile so that she can't make changes on her own. If it's
possible,
I do want her to be able to access files and pictures she has saved on my
profile.

 

[Steven L Umbach]

Generally it is best to post a follow up question to the same original post
as a reply. That way we all can see the whole story and what current advice
has been offered from all those that reply and your progress if any. If you
want to ask a new question that is pretty much a different topic then a new
thread makes sense.

Steve

Steven - thanks so much - I'm going to check into all of these options. I
like the toolkit idea because my nephew will also start using our computer
this fall for an online college class - seems like it might keep things in
good order too. This is the first time i've used newsgroups. If I have
any
follow up questions relating to this issue, should I just add an
additional
link to this one - or start a new thread?

Assuming she does not have administrator or power user access [which will
need to be an absolute must] to the computer nor knows how to gain
administrator access you can configure a bogus proxy server for her user
profile by logging on as her and going to Internet Explorer
tools/internet
options/connections - lan settings and setting a the proxy server to be
127.0.0.1. Now if she can access that setting she can uncheck it though
you
can disable it for all users on the computer by adding the following
registry key if you are familiar with editing the registry.

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control
Panel\ConnectionsTab: 0x00000001

There is also a free Shared Computer Toolkit that Microsoft provides that
you can install on your computer that will do a great job locking down a
user account including stopping most changes to the user profile if you
do
not want to mess with the registry and it is available at the link below
and
requires that you are using Service Pack 2. I highly recommend it and it
is
fairly easy to configure.

http://www.microsoft.com/windowsxp/sharedaccess/default.mspx

Now the bogus proxy will only prevent internet access via Internet
Explorer.
To stop the use of Instant Messenger you will need to find the executable
for it which should be shown in the properties of the shortcut and give
her
user account full control deny permissions to it. The link below explains
how to manage NTFS permissions assuming you are using the NTFS file
system.
You can restrict a non administrator user's access to any folder or file
on
the computer this way and should also do it for any other application she
is
using to access the internet. There is also a software firewall called
PortsLock that is reasonably priced that can have different firewall
rules
for each user on the computer that you may want to check out.

http://support.microsoft.com/default.aspx?scid=kb;en-us;308418 --- NTFS
permissions
http://support.microsoft.com/?ID=307874 --- for XP Pro only on
disabling
simple file sharing.
http://www.portslock.com/ --- PortsLock

After you make changes logon as her user account and make sure that the
restrictions are in effect and she can do what she needs to do. Also make
sure that you have hard to guess passwords for all user accounts and in
particular administrator accounts. In XP Home the built in administrator
account is only available in Safe Mode and by default has a blank
password!
Another thing to do would be for you as an administrator to disable the
network adapter when she is on the computer. As a non administrator she
will
not be able to start it again. Go to Control Panel/network connections
and
right click your network adapter and select disable. Then when it is
needed
again you or another administrator can enable it again.

Having said all the above it is possible for any user who has full
physical
access to a computer to become administrator of it if they have the
skills.
So beware of that and often check that the password for the built in
administrator account has not been changed as that is the prime target.
Also
periodically check the membership of the power users and administrators
group to make sure it is what you expect. You can take steps to make it
much
harder for a user to become administrator such as configuring the
computer
cmos settings that you can often access by holding down delete or F2 when
the computer starts and making sure that the computer can only boot from
the
system hard drive and not a floppy, cdrom, etc., setting a password to
access cmos settings [don't forget it], and somehow locking the case to
prevent access to the inside so that a user can reset cmos settings.

Hopefully this will get you started.

Steve

Hi - my neice has kind of an internet addiction (especially with IM and
myspace) and this has led her into some other serious problems that we
are
addressing. For now, I need to be able to create a profile for her
that
has
absolutely no access to the internet. Once she has been through some
counseling, we'll probably want to let her back on again but with
additional
secuirity - I guess like netnanny. So my question for now is how can I
create or remove access to a program for a specific profile. I've
tried
to
do this through Set Program Access and Defaults - but when I add or
remove
it
seems to do it for the other accounts also. Also- does it need to be a
limited profile so that she can't make changes on her own. If it's
possible,
I do want her to be able to access files and pictures she has saved on
my
profile.

 

[Steven L Umbach]

I guess I should clarify a bit since this is your first time on newsgroups.
It is generally best to post to the original post but not to yourself.
Instead post to one or more who have replied to you that seems to be
offering advice that works or is helpful with you asking additional
questions or responses that are specific towards the advice they have given
so far such as for additional information or letting us know what did or did
not work. Also always let us know what version of XP you are using and what
service pack, if any, is installed as that is important information. You can
find that information in Control Panel/system/general.

Steve

Generally it is best to post a follow up question to the same original
post as a reply. That way we all can see the whole story and what current
advice has been offered from all those that reply and your progress if
any. If you want to ask a new question that is pretty much a different
topic then a new thread makes sense.

Steve

Steven - thanks so much - I'm going to check into all of these options.
I
like the toolkit idea because my nephew will also start using our
computer
this fall for an online college class - seems like it might keep things
in
good order too. This is the first time i've used newsgroups. If I have
any
follow up questions relating to this issue, should I just add an
additional
link to this one - or start a new thread?

Assuming she does not have administrator or power user access [which
will
need to be an absolute must] to the computer nor knows how to gain
administrator access you can configure a bogus proxy server for her user
profile by logging on as her and going to Internet Explorer
tools/internet
options/connections - lan settings and setting a the proxy server to be
127.0.0.1. Now if she can access that setting she can uncheck it though
you
can disable it for all users on the computer by adding the following
registry key if you are familiar with editing the registry.

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control
Panel\ConnectionsTab: 0x00000001

There is also a free Shared Computer Toolkit that Microsoft provides
that
you can install on your computer that will do a great job locking down a
user account including stopping most changes to the user profile if you
do
not want to mess with the registry and it is available at the link below
and
requires that you are using Service Pack 2. I highly recommend it and it
is
fairly easy to configure.

http://www.microsoft.com/windowsxp/sharedaccess/default.mspx

Now the bogus proxy will only prevent internet access via Internet
Explorer.
To stop the use of Instant Messenger you will need to find the
executable
for it which should be shown in the properties of the shortcut and give
her
user account full control deny permissions to it. The link below
explains
how to manage NTFS permissions assuming you are using the NTFS file
system.
You can restrict a non administrator user's access to any folder or file
on
the computer this way and should also do it for any other application
she is
using to access the internet. There is also a software firewall called
PortsLock that is reasonably priced that can have different firewall
rules
for each user on the computer that you may want to check out.

http://support.microsoft.com/default.aspx?scid=kb;en-us;308418 --- NTFS
permissions
http://support.microsoft.com/?ID=307874 --- for XP Pro only on
disabling
simple file sharing.
http://www.portslock.com/ --- PortsLock

After you make changes logon as her user account and make sure that the
restrictions are in effect and she can do what she needs to do. Also
make
sure that you have hard to guess passwords for all user accounts and in
particular administrator accounts. In XP Home the built in administrator
account is only available in Safe Mode and by default has a blank
password!
Another thing to do would be for you as an administrator to disable the
network adapter when she is on the computer. As a non administrator she
will
not be able to start it again. Go to Control Panel/network connections
and
right click your network adapter and select disable. Then when it is
needed
again you or another administrator can enable it again.

Having said all the above it is possible for any user who has full
physical
access to a computer to become administrator of it if they have the
skills.
So beware of that and often check that the password for the built in
administrator account has not been changed as that is the prime target.
Also
periodically check the membership of the power users and administrators
group to make sure it is what you expect. You can take steps to make it
much
harder for a user to become administrator such as configuring the
computer
cmos settings that you can often access by holding down delete or F2
when
the computer starts and making sure that the computer can only boot from
the
system hard drive and not a floppy, cdrom, etc., setting a password to
access cmos settings [don't forget it], and somehow locking the case to
prevent access to the inside so that a user can reset cmos settings.

Hopefully this will get you started.

Steve

Hi - my neice has kind of an internet addiction (especially with IM
and
myspace) and this has led her into some other serious problems that we
are
addressing. For now, I need to be able to create a profile for her
that
has
absolutely no access to the internet. Once she has been through some
counseling, we'll probably want to let her back on again but with
additional
secuirity - I guess like netnanny. So my question for now is how can
I
create or remove access to a program for a specific profile. I've
tried
to
do this through Set Program Access and Defaults - but when I add or
remove
it
seems to do it for the other accounts also. Also- does it need to be
a
limited profile so that she can't make changes on her own. If it's
possible,
I do want her to be able to access files and pictures she has saved on
my
profile.