Hiding system folders on a shared computer

Hello, I am sharing a computer with my son and I want to hide some programs from him, mainly Steam games, but not only. I have managed to hide them from his start menu. He has a standard account, so I think on that front we are OK.

I have also managed to prevent him from accessing the control panel, and thus seeing the list of installed programs.

But I have a problem:

Windows explorer. I tried navigating from his account, and he can go into program files without any problem, he can even go into windows folder. He can not delete files, but he can run them. So, you know how kids are. He will see all the installed programs and try to run directly their .exe file. And even though he won't be able to launch Steam games, he will see a list of all installed games, and I want to prevent that from happening.

He can even go to "Start", type "witch" and a few seconds later he'll be able to see that we have The Witcher 2 installed on the computer. He won't be able to launch it if I activate Parental Controls, but the damage is done.

So, can anybody help me hiding certain folders (windows and program files) from a standard user explorer?

Thanks!
29 answers Last reply
More about hiding system folders shared computer
  1. If you have the Professional or Ultimate version of Windows 7 then you can use the Group Policy Editor (gpedit.msc) to greatly restrict what he can see. If you have one of those listed versions of Windows then I'll dig deeper and see if Group Policy will do what you need. Let me know.
  2. Hi! Thanks for your help. I do have Windows 7 x64 Ultimate, and it was precissely through group policies how I managed to hide the control panel and the backup drive from my son, but I found no policy to either hide system files and folders by default or restrict access to certain folders.

    But this is the first time I use these features, so I may be missing something.
  3. I checked under Administrative Templates and there doesn't seem to be what you want. Have you considered altering the privileges for the "Program Files" and "Program Files (x86)" folders? Just right-mouse click on them, left-click on Properties, then go to the Security Tab. Make sure only your userid has any access to them (besides the other built-in users, like SYSTEM, ALL APPLICATION PACKAGES, etc.). No "User", no "Everyone". Also select his userid and actually Deny Access to it. Do that for the Start Menu items like game shortcuts you don't want him to be able to run. He may be able to see them but he won't be able to run them. You can also do that to the main ".EXE" files of the games themselves. Just add his UserID and then put a checkmark in the "Deny" box.
  4. mbreslin1954 said:
    I checked under Administrative Templates and there doesn't seem to be what you want. Have you considered altering the privileges for the "Program Files" and "Program Files (x86)" folders? Just right-mouse click on them, left-click on Properties, then go to the Security Tab.


    Thanks! When I try to do that, I get two errors:

    1. Error Applying Security: An error occurred while applying security information to

    c:\Program Files (x86)

    Access is denied

    2. Windows Security: Unable to save permission changes on Program Files (x86)

    Access is denied

    --------------------------------------

    I got this when I tried to change permissions for my son's account on the program files folder (both of them) and on the windows folder.

    But I was successful when I tried with the NVIDIA folder.

    Are Program Files, Program Files (x86) and Windows folders special in that it is not possible to change permissions even as administrator?
  5. You might have to change permissions on those folders. Try it again, but this time when in the Security tab, click on "Advanced". Then, at the top of the Advanced window, where it lists the Owner, click the blue "Change" button and make yourself the owner. Click Apply and OK as many times as you need to. Make sure to put a checkmark in the box at the bottom which says "Replace all child object permission entries with inheritable permission entries from this object". Close out the Properties window. Then open it up again.

    Go back and make sure that your UserID has FULL permissions on that folder. It probably won't, so add yourself and give yourself FULL permissions.

    Then, after closing out the Properties window again, open it up again and list your son's UserID and then DENY him all access, even read access. Click OK enough times and close out the Properties window. That should do it.
  6. If the account in question isn't a member of the administrators group then it already can't interact with system files. Do not alter the permissions on such directories as "Program Files" & "Program Files (x86)". They're already protected.
  7. They're not protected from letting "Users" or "Everyone" read and execute, are they? I can't check mine because I altered mine in the past. That's what he wants, to disable his son from finding the executables to games and running them from Windows Explorer or the Start Search.
  8. Then it's dead simple. Remove "Computer", "Run", "Network", "Control Panel", etc. from the start menu, disable the ability to customize the start menu (so they can't be reenabled). Place shortcuts on the desktop of the account in question that point only to those programs allowed to be run, disable IE's ability to browse the local machine, & finally disable the ability to right-click on the desktop. There may be a couple I've missed but that'll lock things down without mucking about with the file/folder permissions (which will come back to bite you eventually).
  9. ex_bubblehead said:
    Then it's dead simple. Remove "Computer", "Run", "Network", "Control Panel", etc. from the start menu, disable the ability to customize the start menu (so they can't be reenabled). Place shortcuts on the desktop of the account in question that point only to those programs allowed to be run, disable IE's ability to browse the local machine, & finally disable the ability to right-click on the desktop. There may be a couple I've missed but that'll lock things down without mucking about with the file/folder permissions (which will come back to bite you eventually).


    I agree that fiddling with system folder permissions is dangerous, but I do not think that hiding shortcuts is going to be enough. From any explorer windows it is possible to go to Computer, and then C and Program Files.

    But that you said about disabling right click on the desktop is very interesting. How would I do that?
  10. Quote:
    ....From any explorer windows it is possible to go to Computer, and then C and Program Files....

    Not if you properly secure things. Example: Remove the search window from the bottom of the start menu and gone will be the ability to type "C:\" to open explorer.

    Everything I outlined is doable via GPO or the Policy Editor.

    Just bear in mind that the Policy Editor is an extremely powerful tool and that one can easily create a situation where even the built-in administrator account no longer has sufficient rights to manage the system.
  11. ex_bubblehead said:
    Quote:
    ....From any explorer windows it is possible to go to Computer, and then C and Program Files....

    Not if you properly secure things. Example: Remove the search window from the bottom of the start menu and gone will be the ability to type "C:\" to open explorer.


    But they can access their Documents folder, and from there they can access the Computer, can't they?
  12. mbreslin1954 said:
    You might have to change permissions on those folders. Try it again, but this time when in the Security tab, click on "Advanced". Then, at the top of the Advanced window, where it lists the Owner, click the blue "Change" button and make yourself the owner. Click Apply and OK as many times as you need to. Make sure to put a checkmark in the box at the bottom which says "Replace all child object permission entries with inheritable permission entries from this object". Close out the Properties window. Then open it up again.

    Go back and make sure that your UserID has FULL permissions on that folder. It probably won't, so add yourself and give yourself FULL permissions.

    Then, after closing out the Properties window again, open it up again and list your son's UserID and then DENY him all access, even read access. Click OK enough times and close out the Properties window. That should do it.


    Well, I did that. I hope it did not break anything in the system, because I do not think I can undo it that set the permissions the way they were before (trustedinstaller was the owner) :D.

    Anyway, it did work, but it is not useful at all. My son's account can not open any of those folders, but he can not launch any program either. I want him to be able to launch Firefox, Office, Plex, Foobar, Adobe Reader, and even some games. But since all those executables reside in Program Files folders, he gets and error when trying to launch them.

    So I played a bit with the permissions. The key permission is "List folder contents". That is the one I want on deny. But even with that single permission denied, he can not launch any program. It seems that "Read and execute" permission is somehow linked to the "List folder contents" permission, so if I add "Read and execute" permission to the allow column, it deselects "List folder contents" from the deny column, and vice versa. So I can either deny viewing contents or allow execution, but not both.
  13. ex_bubblehead said:


    OK! We are making progress! By hiding c my son can not see it on my computer, yet he can still browse his own documents, and of course, he can launch any program, provided he has access to the executable or a shortcut.

    But, if in the explorer, on the top bar, he writes "c:", he immediately gets access to C. Is there any way to prevent using that bar to write direct computer addresses?

    Also, as you said earlier, searching on the start menu gets results from C as well, so a simple "Steam" search, would grant him direct access to the Steam folder inside Program Files. How can I prevent this?

    And last, it is possible to navigate to C very easily through 7z graphical user interface. But I do not want to deny my son access to 7z. In fact, 7z is incredibly powerful. I have another drive, B, that I hid last week from my son's account through Group Policies. I not only hid it, but also prevented access. So right now, from my son's account, in explorer, in Computer, there is only the optical drive and D, which is the multimedia partition. But if I type "c:" I immediately get to C. But if I type "b:" I get an error pop up saying that the access has been prevented. That is great, except that from 7z I can perfectly open B and navigate, and delete backups to my heart's content.

    So, is there any way to prevent 7z from accessing a certain drive inside certain accounts?

    Gosh, just when I thought I was getting closer, all this 7z is a low blow.
  14. This is why you don't want to play with file/folder permissions without a complete understanding of how they interact. NTFS applies the most restrictive of permissions after all permissions are assembled. "Deny" trumps everything.

    Quote:
    ....So, is there any way to prevent 7z from accessing a certain drive inside certain accounts?....

    Simple, use the Policy Editor to deny run permission on the 7z executable. You cannot control what happens inside an application.
  15. "But I do not want to deny my son access to 7z."

    He doesn't want to deny his son access to 7z, so he doesn't want to deny him run permission on the 7z executable.

    Apertotes, it looks like you're going to have to make some compromises if you want to do what you originally wanted. Perhaps denying him access to 7z is a worthwhile price to pay.
  16. Well, I denied him access to 7zFM, which is the graphical interface. He can still compress and extract with the explorer right click shortcuts. But something estrange is happening. Even though he can not open 7zFM from the start menu (there is a pop up that says he does not have permission), if he chooses to open a compressed file instead of extracting, then the graphical UI of 7z opens up, and I have verified with Task Manager that it is indeed 7zFM.exe that has been launched.

    Anyway, that is a very specific case that I hope does not realistically happen.

    But I found a new problem: browsers. Both Firefox and IE can freely browse the computer. I have not tried Chrome, but chances are that it can also browse the computer. I looked for a Group Policy to prevent IE from browsing the computer, but did not find any. And of course, I do not know how to prevent that for Firefox and Chrome.
  17. ex_bubblehead said:
    This is why you don't want to play with file/folder permissions without a complete understanding of how they interact. NTFS applies the most restrictive of permissions after all permissions are assembled. "Deny" trumps everything.


    Yes, the pop up when changing permissions says that. The thing that surprised me is that I did not deny "Read", "Write" or "Execute" permissions. Those were left blank. I only marked "List folder contents". But that one permission by itself prevented also executing programs.
  18. For IE: http://www.pctools.com/guides/registry/detail/959/

    For Firefox: Yes, it can be done but it requires modifying some .jar files. Not recommended.

    For Chrome: No idea, you're on your own there.
  19. apertotes said:
    ex_bubblehead said:
    This is why you don't want to play with file/folder permissions without a complete understanding of how they interact. NTFS applies the most restrictive of permissions after all permissions are assembled. "Deny" trumps everything.


    Yes, the pop up when changing permissions says that. The thing that surprised me is that I did not deny "Read", "Write" or "Execute" permissions. Those were left blank. I only marked "List folder contents". But that one permission by itself prevented also executing programs.


    "List folder contents" embodies "Read" & "Execute" thus the "Deny" taking precedence. If you think about it for a moment, you can't read or execute anything in a directory unless you have access to the contents (list). NTFS permissions give even those of us that have been doing it for many years headaches.
  20. ex_bubblehead said:
    apertotes said:
    ex_bubblehead said:
    This is why you don't want to play with file/folder permissions without a complete understanding of how they interact. NTFS applies the most restrictive of permissions after all permissions are assembled. "Deny" trumps everything.


    Yes, the pop up when changing permissions says that. The thing that surprised me is that I did not deny "Read", "Write" or "Execute" permissions. Those were left blank. I only marked "List folder contents". But that one permission by itself prevented also executing programs.


    "List folder contents" embodies "Read" & "Execute" thus the "Deny" taking precedence. If you think about it for a moment, you can't read or execute anything in a directory unless you have access to the contents (list).


    True! I guess I understood it in a more literal way, like "listing". It is just so difficult to comprehend the difference between "Read" and "List folder contents" then. And also, without reading, it would be very difficult to write or to execute, and even to "List folder contents". It is so confusing!

    I have been looking for a way to prevent browsers from accessing local files, and it seems very difficult. I may end up uninstalling IE, which we do not use, but we rely heavily on both Firefox and Chrome. Damm, this is turning to be a much more difficult task than I though at the beginning.
  21. Quote:
    ....And also, without reading, it would be very difficult to write....

    Not at all. It's quite common to remove read, list, & execute permissions on a directory and leave only the write. Allows for such things as log files to be written in a directory that only the admins have full access to. There are also additional permissions (modify, delete) which are beyond what you are trying to do.

    Quote:
    Damm, this is turning to be a much more difficult task than I though at the beginning.

    Now you see why there are folks who make big bucks securing networks.
  22. Well, I am almost done. It has been quite difficult, but I think that I got most of what I wanted.

    Right now, my son's account is fully functional, with the following restrictions:

    1. Can not view or access B, which is our backup drive: this was achieved with two different actions. First, remove access and visibility to the drive on GPE, so that the drive would not appear on Computer. Second, deny all permissions to my son's account so that he could not access through browsers or 7z.

    2. Can not see installed programs or any serious configuration screen: this was achieved by only allowing certain control panel items show in GPE.

    3. Can not access Nvidia Geforce Experience and thus see the installed games: this one was very tricky. After much tinkering, I had to deny all permissions to my son's account on NGE folder. I will have to test this further to make sure that it does not screw anything with display acceleration and graphical performance.

    4. Can not access Steam folder on Program Files(x86): Again, I had to deny him permissions. I do not like this solution at all, but it was the only way I found to prevent internet browsers from accessing this folder. Also, it is not a complete solution, since it only hides Steam games. And also messes with my idea to get a Steam account for my son with his own games. But have not found a way to reliably hide the whole Program Files folder and still allow programs to run normally.

    5. Can not search files and folders in Start menu: Again, this is a setting in GPE. What a tool!

    6. Make all my messing as invisible as possible so that he does not suspect too much.

    -----------------------------------------------------------------------------------------------------------

    I am relatively happy with the current situation. But there are still a few loose ends that I would very much love to tie down:

    1. As I said, denying permissions on the Steam folder only hides Steam games, and prevents my son from using Steam at all, which is not ideal.

    2. Through a GPE setting I have made his control panel open always in small icons view, but it is very easy to change the view to Categories, which shows all the empty categories like "System", "Programs", "Hardware and sound", etc, making it too obvious that there is something fishy.

    Thanks a lot to everybody for your input, and specially ex_bubblehead for his constant feedback and for directing me away from the permissions nightmare.
  23. You might want to play around with where Steam games are installed. I remember a number of years back, when I first got my SSD, I had too many games installed and decided to install them on my "D" drive, since my SSD was not very large. This worked out quite well.

    You shouldn't have to prevent your son from running Steam. If you give him his own account, then he can only log on as himself (change your Steam password if needed). When you install one of his Steam games, just set the install directory to something other than Programs (x86), and he should have full access to that folder (where only HIS Steam games are installed). With his own account he should only see his games anyway.
  24. But for that I would have to install another instance of Steam, right? Because right now he can not even run the Steam launcher.
  25. With the cheap prices on lower end off lease systems these days the best method would be to buy him a cheap used system to use instead of sharing yours !
  26. JDFan said:
    With the cheap prices on lower end off lease systems these days the best method would be to buy him a cheap used system to use instead of sharing yours !


    He has to earn it! ;)
  27. Uninstall Steam and re-install it, only when installing it change the directory to something different than "Program Files (x86)". This would allow him to run it, assuming you continue to keep him out of Program Files (x86). Now he'll be able to run steam, but he will only be able to log on to his own account.

    From what I've read about Steam's new feature to allow family members to share games, you would not have to buy him his own copy of games that you already own and that he is permitted to play.
  28. So, what you mean is to re-install Steam in a folder he has access to, say, D:\Steam, but keep all my installed games in a folder he can not access, like for example, B:\Apertotes_Steam_games.

    Then create a Steam account for him, and share my games so that he installs them in his own D:\Steam\Steamapps.

    That looks like a great plan! Only thing is that I believe that what you share in steam is your collection, not a certain game. I'll look into it.

    Now that I think about it, it also has the inconvenience that to share games in Steam we need to be friends, and that means he'll be able to see my whole collection. It is not the end of the world, but that would mean having lots of discussions about games that I feel he is not ready to play but he wants to, which is completely understandable, since I also wanted to do those things when I was a kid.

    But what is worse, is that then most of the time I spent on this issue would be moot! :-) So much time reading the details for tens of group policies and trying to prevent browsers from reading local files to be able to hide my collection of games from him, only to share it through Steam ;-) It would be hilarious!
Ask a new question

Read More

User Accounts Hidden Files Windows 7