Hiding system folders on a shared computer

Hi! Thanks for your help. I do have Windows 7 x64 Ultimate, and it was precissely through group policies how I managed to hide the control panel and the backup drive from my son, but I found no policy to either hide system files and folders by default or restrict access to certain folders.

But this is the first time I use these features, so I may be missing something.

Thanks! When I try to do that, I get two errors:

1. Error Applying Security: An error occurred while applying security information to

c:\Program Files (x86)

Access is denied

2. Windows Security: Unable to save permission changes on Program Files (x86)

Access is denied

--------------------------------------

I got this when I tried to change permissions for my son's account on the program files folder (both of them) and on the windows folder.

But I was successful when I tried with the NVIDIA folder.

Are Program Files, Program Files (x86) and Windows folders special in that it is not possible to change permissions even as administrator?

I agree that fiddling with system folder permissions is dangerous, but I do not think that hiding shortcuts is going to be enough. From any explorer windows it is possible to go to Computer, and then C and Program Files.

But that you said about disabling right click on the desktop is very interesting. How would I do that?

But they can access their Documents folder, and from there they can access the Computer, can't they?

Well, I did that. I hope it did not break anything in the system, because I do not think I can undo it that set the permissions the way they were before (trustedinstaller was the owner) .

Anyway, it did work, but it is not useful at all. My son's account can not open any of those folders, but he can not launch any program either. I want him to be able to launch Firefox, Office, Plex, Foobar, Adobe Reader, and even some games. But since all those executables reside in Program Files folders, he gets and error when trying to launch them.

So I played a bit with the permissions. The key permission is "List folder contents". That is the one I want on deny. But even with that single permission denied, he can not launch any program. It seems that "Read and execute" permission is somehow linked to the "List folder contents" permission, so if I add "Read and execute" permission to the allow column, it deselects "List folder contents" from the deny column, and vice versa. So I can either deny viewing contents or allow execution, but not both.

OK! We are making progress! By hiding c my son can not see it on my computer, yet he can still browse his own documents, and of course, he can launch any program, provided he has access to the executable or a shortcut.

But, if in the explorer, on the top bar, he writes "c:", he immediately gets access to C. Is there any way to prevent using that bar to write direct computer addresses?

Also, as you said earlier, searching on the start menu gets results from C as well, so a simple "Steam" search, would grant him direct access to the Steam folder inside Program Files. How can I prevent this?

And last, it is possible to navigate to C very easily through 7z graphical user interface. But I do not want to deny my son access to 7z. In fact, 7z is incredibly powerful. I have another drive, B, that I hid last week from my son's account through Group Policies. I not only hid it, but also prevented access. So right now, from my son's account, in explorer, in Computer, there is only the optical drive and D, which is the multimedia partition. But if I type "c:" I immediately get to C. But if I type "b:" I get an error pop up saying that the access has been prevented. That is great, except that from 7z I can perfectly open B and navigate, and delete backups to my heart's content.

So, is there any way to prevent 7z from accessing a certain drive inside certain accounts?

Gosh, just when I thought I was getting closer, all this 7z is a low blow.

Well, I denied him access to 7zFM, which is the graphical interface. He can still compress and extract with the explorer right click shortcuts. But something estrange is happening. Even though he can not open 7zFM from the start menu (there is a pop up that says he does not have permission), if he chooses to open a compressed file instead of extracting, then the graphical UI of 7z opens up, and I have verified with Task Manager that it is indeed 7zFM.exe that has been launched.

Anyway, that is a very specific case that I hope does not realistically happen.

But I found a new problem: browsers. Both Firefox and IE can freely browse the computer. I have not tried Chrome, but chances are that it can also browse the computer. I looked for a Group Policy to prevent IE from browsing the computer, but did not find any. And of course, I do not know how to prevent that for Firefox and Chrome.

Yes, the pop up when changing permissions says that. The thing that surprised me is that I did not deny "Read", "Write" or "Execute" permissions. Those were left blank. I only marked "List folder contents". But that one permission by itself prevented also executing programs.

True! I guess I understood it in a more literal way, like "listing". It is just so difficult to comprehend the difference between "Read" and "List folder contents" then. And also, without reading, it would be very difficult to write or to execute, and even to "List folder contents". It is so confusing!

I have been looking for a way to prevent browsers from accessing local files, and it seems very difficult. I may end up uninstalling IE, which we do not use, but we rely heavily on both Firefox and Chrome. Damm, this is turning to be a much more difficult task than I though at the beginning.

Well, I am almost done. It has been quite difficult, but I think that I got most of what I wanted.

Right now, my son's account is fully functional, with the following restrictions:

1. Can not view or access B, which is our backup drive: this was achieved with two different actions. First, remove access and visibility to the drive on GPE, so that the drive would not appear on Computer. Second, deny all permissions to my son's account so that he could not access through browsers or 7z.

2. Can not see installed programs or any serious configuration screen: this was achieved by only allowing certain control panel items show in GPE.

3. Can not access Nvidia Geforce Experience and thus see the installed games: this one was very tricky. After much tinkering, I had to deny all permissions to my son's account on NGE folder. I will have to test this further to make sure that it does not screw anything with display acceleration and graphical performance.

4. Can not access Steam folder on Program Files(x86): Again, I had to deny him permissions. I do not like this solution at all, but it was the only way I found to prevent internet browsers from accessing this folder. Also, it is not a complete solution, since it only hides Steam games. And also messes with my idea to get a Steam account for my son with his own games. But have not found a way to reliably hide the whole Program Files folder and still allow programs to run normally.

5. Can not search files and folders in Start menu: Again, this is a setting in GPE. What a tool!

6. Make all my messing as invisible as possible so that he does not suspect too much.

-----------------------------------------------------------------------------------------------------------

I am relatively happy with the current situation. But there are still a few loose ends that I would very much love to tie down:

1. As I said, denying permissions on the Steam folder only hides Steam games, and prevents my son from using Steam at all, which is not ideal.

2. Through a GPE setting I have made his control panel open always in small icons view, but it is very easy to change the view to Categories, which shows all the empty categories like "System", "Programs", "Hardware and sound", etc, making it too obvious that there is something fishy.

Thanks a lot to everybody for your input, and specially ex_bubblehead for his constant feedback and for directing me away from the permissions nightmare.