Sign in with
Sign up | Sign in
Your question

different user groups with different security settings and..

Last response: in Windows XP
Share
Anonymous
a b 8 Security
August 7, 2005 8:43:47 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

My machine is a standalone machine without any AD setting.
I am planning to set different user groups with different security settings
and windows environment.
From gpedit.msc, there are only Windows Setting->Local
Policies->UserRightAssignments and Windows Setting->Local Policies->Security
Options working with User Groups. The other policies affecting all users.
I need the very tight security user group for working only with one or two
banking web sites, no other application runs, no application can be install,
and no communication to other sites. Limited ports. The cleaning process
should run during login and logout. The point is to avoid the backdoor and
keylogger.
Another user group for general usage, like accessing chatroom site, ICQ,
YIM, game.

How can I do this?
Any suggestion on setting user groups to acheive security?
Thanx a lot
Anonymous
a b 8 Security
August 8, 2005 2:25:19 AM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

What OS ? This is more approachable with XP Pro than it is with
Windows 2000, mostly due to the addition of Software Restriction
Policy in XP and later.
However, local policy (i.e. stand-alone) is always applied equally
to all accounts. User and group selectivity is a domain feature.
There is a workaround, a very tedious workaround, for which one
must plan carefully what policies are to be in effect for which accounts.
In general I do not recommend it.
Also, most things effected by local policy can be done with registry
settings - and there are third-party tools to assist. You might want to
look at Doug's little app for this (www.dougknox.com).
Finally, from what you have said it almost sound like what you could
do is to change the default shell from Explorer for the couple accounts
that are to be restricted to only accessing the bank web sites.

--
Roger Abell
Microsoft MVP (Windows Security)

"dh" <a@mail.com> wrote in message
news:e3lvZn6mFHA.3960@TK2MSFTNGP12.phx.gbl...
> My machine is a standalone machine without any AD setting.
> I am planning to set different user groups with different security
settings
> and windows environment.
> From gpedit.msc, there are only Windows Setting->Local
> Policies->UserRightAssignments and Windows Setting->Local
Policies->Security
> Options working with User Groups. The other policies affecting all users.
> I need the very tight security user group for working only with one or two
> banking web sites, no other application runs, no application can be
install,
> and no communication to other sites. Limited ports. The cleaning process
> should run during login and logout. The point is to avoid the backdoor and
> keylogger.
> Another user group for general usage, like accessing chatroom site, ICQ,
> YIM, game.
>
> How can I do this?
> Any suggestion on setting user groups to acheive security?
> Thanx a lot
>
>
Anonymous
a b 8 Security
August 8, 2005 3:39:47 AM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

The OS is WinXP Pro.
So, will you suggest I promote my standalone PC to a standalone Domain
Controller in order to configure the specific group security requirement?
What is the default shell for IE? How can I access and change it?

By the way, if I get internet access by wireless router, which has several
PC connect to it, which parameters should I set to ensure the other PC
connect to the same router cannot invade my privacy?
Can I use both cable access and wireless access at the same time to
accerlerate the data rate?
Thanx


"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:o BcXNm9mFHA.1480@TK2MSFTNGP10.phx.gbl...
> What OS ? This is more approachable with XP Pro than it is with
> Windows 2000, mostly due to the addition of Software Restriction
> Policy in XP and later.
> However, local policy (i.e. stand-alone) is always applied equally
> to all accounts. User and group selectivity is a domain feature.
> There is a workaround, a very tedious workaround, for which one
> must plan carefully what policies are to be in effect for which accounts.
> In general I do not recommend it.
> Also, most things effected by local policy can be done with registry
> settings - and there are third-party tools to assist. You might want to
> look at Doug's little app for this (www.dougknox.com).
> Finally, from what you have said it almost sound like what you could
> do is to change the default shell from Explorer for the couple accounts
> that are to be restricted to only accessing the bank web sites.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
>
> "dh" <a@mail.com> wrote in message
> news:e3lvZn6mFHA.3960@TK2MSFTNGP12.phx.gbl...
>> My machine is a standalone machine without any AD setting.
>> I am planning to set different user groups with different security
> settings
>> and windows environment.
>> From gpedit.msc, there are only Windows Setting->Local
>> Policies->UserRightAssignments and Windows Setting->Local
> Policies->Security
>> Options working with User Groups. The other policies affecting all users.
>> I need the very tight security user group for working only with one or
>> two
>> banking web sites, no other application runs, no application can be
> install,
>> and no communication to other sites. Limited ports. The cleaning process
>> should run during login and logout. The point is to avoid the backdoor
>> and
>> keylogger.
>> Another user group for general usage, like accessing chatroom site, ICQ,
>> YIM, game.
>>
>> How can I do this?
>> Any suggestion on setting user groups to acheive security?
>> Thanx a lot
>>
>>
>
>
Related resources
August 8, 2005 12:22:02 PM

Archived from groups: microsoft.public.security,microsoft.public.windowsxp.security_admin,microsoft.public.security.homeusers (More info?)

Using both cable and wireless access at the same time won't accelerate the
data rate. To ensure your "privacy", there are many fatcors to consider, and
I would think that one who really wants to invade your "privacy" will be able
to succeed. Try to see if you can isolate a LAN port on your router.
Otherwise, make sure the local security policy and user rights block all
access through the network to your computer. Put a password on your admin
account (a complex one) and disable the guest account. These are basics....

Finally I think promoting your PC to DC is like putting a V8 in a golf cart
;-)

You might want to take a look at the Internet Explorer Admin Kit...(IEAK)

"dh" wrote:

> The OS is WinXP Pro.
> So, will you suggest I promote my standalone PC to a standalone Domain
> Controller in order to configure the specific group security requirement?
> What is the default shell for IE? How can I access and change it?
>
> By the way, if I get internet access by wireless router, which has several
> PC connect to it, which parameters should I set to ensure the other PC
> connect to the same router cannot invade my privacy?
> Can I use both cable access and wireless access at the same time to
> accerlerate the data rate?
> Thanx
>
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:o BcXNm9mFHA.1480@TK2MSFTNGP10.phx.gbl...
> > What OS ? This is more approachable with XP Pro than it is with
> > Windows 2000, mostly due to the addition of Software Restriction
> > Policy in XP and later.
> > However, local policy (i.e. stand-alone) is always applied equally
> > to all accounts. User and group selectivity is a domain feature.
> > There is a workaround, a very tedious workaround, for which one
> > must plan carefully what policies are to be in effect for which accounts.
> > In general I do not recommend it.
> > Also, most things effected by local policy can be done with registry
> > settings - and there are third-party tools to assist. You might want to
> > look at Doug's little app for this (www.dougknox.com).
> > Finally, from what you have said it almost sound like what you could
> > do is to change the default shell from Explorer for the couple accounts
> > that are to be restricted to only accessing the bank web sites.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> >
> > "dh" <a@mail.com> wrote in message
> > news:e3lvZn6mFHA.3960@TK2MSFTNGP12.phx.gbl...
> >> My machine is a standalone machine without any AD setting.
> >> I am planning to set different user groups with different security
> > settings
> >> and windows environment.
> >> From gpedit.msc, there are only Windows Setting->Local
> >> Policies->UserRightAssignments and Windows Setting->Local
> > Policies->Security
> >> Options working with User Groups. The other policies affecting all users.
> >> I need the very tight security user group for working only with one or
> >> two
> >> banking web sites, no other application runs, no application can be
> > install,
> >> and no communication to other sites. Limited ports. The cleaning process
> >> should run during login and logout. The point is to avoid the backdoor
> >> and
> >> keylogger.
> >> Another user group for general usage, like accessing chatroom site, ICQ,
> >> YIM, game.
> >>
> >> How can I do this?
> >> Any suggestion on setting user groups to acheive security?
> >> Thanx a lot
> >>
> >>
> >
> >
>
>
>
Anonymous
a b 8 Security
August 8, 2005 2:56:02 PM

Archived from groups: microsoft.public.security,microsoft.public.windowsxp.security_admin,microsoft.public.security.homeusers (More info?)

How come the data rate wont accerlerate if I have two internet access
account from the same ISP?
The bandwidth should be doubled.
The problem is how to configure these two PCI network card correctly.
Thanx

"Pickle" <Pickle@discussions.microsoft.com> wrote in message
news:2D98F6F9-F006-434F-9AF6-74E6011A8164@microsoft.com...
> Using both cable and wireless access at the same time won't accelerate the
> data rate. To ensure your "privacy", there are many fatcors to consider,
> and
> I would think that one who really wants to invade your "privacy" will be
> able
> to succeed. Try to see if you can isolate a LAN port on your router.
> Otherwise, make sure the local security policy and user rights block all
> access through the network to your computer. Put a password on your admin
> account (a complex one) and disable the guest account. These are
> basics....
>
> Finally I think promoting your PC to DC is like putting a V8 in a golf
> cart
> ;-)
>
> You might want to take a look at the Internet Explorer Admin Kit...(IEAK)
>
> "dh" wrote:
>
>> The OS is WinXP Pro.
>> So, will you suggest I promote my standalone PC to a standalone Domain
>> Controller in order to configure the specific group security requirement?
>> What is the default shell for IE? How can I access and change it?
>>
>> By the way, if I get internet access by wireless router, which has
>> several
>> PC connect to it, which parameters should I set to ensure the other PC
>> connect to the same router cannot invade my privacy?
>> Can I use both cable access and wireless access at the same time to
>> accerlerate the data rate?
>> Thanx
>>
>>
>> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> news:o BcXNm9mFHA.1480@TK2MSFTNGP10.phx.gbl...
>> > What OS ? This is more approachable with XP Pro than it is with
>> > Windows 2000, mostly due to the addition of Software Restriction
>> > Policy in XP and later.
>> > However, local policy (i.e. stand-alone) is always applied equally
>> > to all accounts. User and group selectivity is a domain feature.
>> > There is a workaround, a very tedious workaround, for which one
>> > must plan carefully what policies are to be in effect for which
>> > accounts.
>> > In general I do not recommend it.
>> > Also, most things effected by local policy can be done with registry
>> > settings - and there are third-party tools to assist. You might want
>> > to
>> > look at Doug's little app for this (www.dougknox.com).
>> > Finally, from what you have said it almost sound like what you could
>> > do is to change the default shell from Explorer for the couple accounts
>> > that are to be restricted to only accessing the bank web sites.
>> >
>> > --
>> > Roger Abell
>> > Microsoft MVP (Windows Security)
>> >
>> > "dh" <a@mail.com> wrote in message
>> > news:e3lvZn6mFHA.3960@TK2MSFTNGP12.phx.gbl...
>> >> My machine is a standalone machine without any AD setting.
>> >> I am planning to set different user groups with different security
>> > settings
>> >> and windows environment.
>> >> From gpedit.msc, there are only Windows Setting->Local
>> >> Policies->UserRightAssignments and Windows Setting->Local
>> > Policies->Security
>> >> Options working with User Groups. The other policies affecting all
>> >> users.
>> >> I need the very tight security user group for working only with one or
>> >> two
>> >> banking web sites, no other application runs, no application can be
>> > install,
>> >> and no communication to other sites. Limited ports. The cleaning
>> >> process
>> >> should run during login and logout. The point is to avoid the backdoor
>> >> and
>> >> keylogger.
>> >> Another user group for general usage, like accessing chatroom site,
>> >> ICQ,
>> >> YIM, game.
>> >>
>> >> How can I do this?
>> >> Any suggestion on setting user groups to acheive security?
>> >> Thanx a lot
>> >>
>> >>
>> >
>> >
>>
>>
>>
Anonymous
a b 8 Security
August 8, 2005 9:30:09 PM

Archived from groups: microsoft.public.security,microsoft.public.windowsxp.security_admin,microsoft.public.security.homeusers (More info?)

dh wrote:
> How come the data rate wont accerlerate if I have two internet access
> account from the same ISP?
> The bandwidth should be doubled.
> The problem is how to configure these two PCI network card correctly.

Think of it this way..
Yes - you have two "pipes" coming into your machine, each of these "pipes"
even comes from the same "supplier".. BUT..

You have one computer and (by design) that one computer can request stuff
from either "Pipe1" or "Pipe2", but not both at the same time.

While there are dial-up modems/applications out there for them that allows
you to "bind" the two modems together, to my knowledge there is nothing like
that for Network Cards... Yet.

I can see the reasoning.. For a quick example, I can get 5Mbit down,
768Kbit up for $49.99/month. If I wanted 10Mbit down and 1.5Mbit up, the
price would do more than double - that is for sure. So being able to link
my two connections together - even with a one-time hardware purchase or
software purchase would be FANTASTIC. And if there is such a thing out
there - publicize it here - but I do not know about it.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
Anonymous
a b 8 Security
August 9, 2005 3:10:00 AM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

Well, you would need to purchase Server in order to have a domain.

I am not sure if there is or is not something out there to aggregate
bandwidth between a cable and a wireless interface. In modem days
there was ability to do so and in higher end network cards this is
possible - but those are not the interfaces you have.

From the range of your questions I feel that you may be getting in
too deeply if you were to try altering the default shell for those
accounts. Explorer is the normal default shell, not IE.

The best way to protect your machine is to use a firewall,
to keep it up-to-date on patches, and to keep those at the
keyboard using a limited user account with sanity in their
actions.

--
Roger Abell
Microsoft MVP (Windows Security)

"dh" <a@mail.com> wrote in message
news:uuIW9P%23mFHA.2180@TK2MSFTNGP15.phx.gbl...
> The OS is WinXP Pro.
> So, will you suggest I promote my standalone PC to a standalone Domain
> Controller in order to configure the specific group security requirement?
> What is the default shell for IE? How can I access and change it?
>
> By the way, if I get internet access by wireless router, which has several
> PC connect to it, which parameters should I set to ensure the other PC
> connect to the same router cannot invade my privacy?
> Can I use both cable access and wireless access at the same time to
> accerlerate the data rate?
> Thanx
>
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:o BcXNm9mFHA.1480@TK2MSFTNGP10.phx.gbl...
> > What OS ? This is more approachable with XP Pro than it is with
> > Windows 2000, mostly due to the addition of Software Restriction
> > Policy in XP and later.
> > However, local policy (i.e. stand-alone) is always applied equally
> > to all accounts. User and group selectivity is a domain feature.
> > There is a workaround, a very tedious workaround, for which one
> > must plan carefully what policies are to be in effect for which
accounts.
> > In general I do not recommend it.
> > Also, most things effected by local policy can be done with registry
> > settings - and there are third-party tools to assist. You might want to
> > look at Doug's little app for this (www.dougknox.com).
> > Finally, from what you have said it almost sound like what you could
> > do is to change the default shell from Explorer for the couple accounts
> > that are to be restricted to only accessing the bank web sites.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> >
> > "dh" <a@mail.com> wrote in message
> > news:e3lvZn6mFHA.3960@TK2MSFTNGP12.phx.gbl...
> >> My machine is a standalone machine without any AD setting.
> >> I am planning to set different user groups with different security
> > settings
> >> and windows environment.
> >> From gpedit.msc, there are only Windows Setting->Local
> >> Policies->UserRightAssignments and Windows Setting->Local
> > Policies->Security
> >> Options working with User Groups. The other policies affecting all
users.
> >> I need the very tight security user group for working only with one or
> >> two
> >> banking web sites, no other application runs, no application can be
> > install,
> >> and no communication to other sites. Limited ports. The cleaning
process
> >> should run during login and logout. The point is to avoid the backdoor
> >> and
> >> keylogger.
> >> Another user group for general usage, like accessing chatroom site,
ICQ,
> >> YIM, game.
> >>
> >> How can I do this?
> >> Any suggestion on setting user groups to acheive security?
> >> Thanx a lot
> >>
> >>
> >
> >
>
>
!