different user groups with different security settings and..

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

My machine is a standalone machine without any AD setting.
I am planning to set different user groups with different security settings
and windows environment.
From gpedit.msc, there are only Windows Setting->Local
Policies->UserRightAssignments and Windows Setting->Local Policies->Security
Options working with User Groups. The other policies affecting all users.
I need the very tight security user group for working only with one or two
banking web sites, no other application runs, no application can be install,
and no communication to other sites. Limited ports. The cleaning process
should run during login and logout. The point is to avoid the backdoor and
keylogger.
Another user group for general usage, like accessing chatroom site, ICQ,
YIM, game.

How can I do this?
Any suggestion on setting user groups to acheive security?
Thanx a lot
6 answers Last reply
More about different user groups security settings
  1. Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

    What OS ? This is more approachable with XP Pro than it is with
    Windows 2000, mostly due to the addition of Software Restriction
    Policy in XP and later.
    However, local policy (i.e. stand-alone) is always applied equally
    to all accounts. User and group selectivity is a domain feature.
    There is a workaround, a very tedious workaround, for which one
    must plan carefully what policies are to be in effect for which accounts.
    In general I do not recommend it.
    Also, most things effected by local policy can be done with registry
    settings - and there are third-party tools to assist. You might want to
    look at Doug's little app for this (www.dougknox.com).
    Finally, from what you have said it almost sound like what you could
    do is to change the default shell from Explorer for the couple accounts
    that are to be restricted to only accessing the bank web sites.

    --
    Roger Abell
    Microsoft MVP (Windows Security)

    "dh" <a@mail.com> wrote in message
    news:e3lvZn6mFHA.3960@TK2MSFTNGP12.phx.gbl...
    > My machine is a standalone machine without any AD setting.
    > I am planning to set different user groups with different security
    settings
    > and windows environment.
    > From gpedit.msc, there are only Windows Setting->Local
    > Policies->UserRightAssignments and Windows Setting->Local
    Policies->Security
    > Options working with User Groups. The other policies affecting all users.
    > I need the very tight security user group for working only with one or two
    > banking web sites, no other application runs, no application can be
    install,
    > and no communication to other sites. Limited ports. The cleaning process
    > should run during login and logout. The point is to avoid the backdoor and
    > keylogger.
    > Another user group for general usage, like accessing chatroom site, ICQ,
    > YIM, game.
    >
    > How can I do this?
    > Any suggestion on setting user groups to acheive security?
    > Thanx a lot
    >
    >
  2. Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

    The OS is WinXP Pro.
    So, will you suggest I promote my standalone PC to a standalone Domain
    Controller in order to configure the specific group security requirement?
    What is the default shell for IE? How can I access and change it?

    By the way, if I get internet access by wireless router, which has several
    PC connect to it, which parameters should I set to ensure the other PC
    connect to the same router cannot invade my privacy?
    Can I use both cable access and wireless access at the same time to
    accerlerate the data rate?
    Thanx


    "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    news:OBcXNm9mFHA.1480@TK2MSFTNGP10.phx.gbl...
    > What OS ? This is more approachable with XP Pro than it is with
    > Windows 2000, mostly due to the addition of Software Restriction
    > Policy in XP and later.
    > However, local policy (i.e. stand-alone) is always applied equally
    > to all accounts. User and group selectivity is a domain feature.
    > There is a workaround, a very tedious workaround, for which one
    > must plan carefully what policies are to be in effect for which accounts.
    > In general I do not recommend it.
    > Also, most things effected by local policy can be done with registry
    > settings - and there are third-party tools to assist. You might want to
    > look at Doug's little app for this (www.dougknox.com).
    > Finally, from what you have said it almost sound like what you could
    > do is to change the default shell from Explorer for the couple accounts
    > that are to be restricted to only accessing the bank web sites.
    >
    > --
    > Roger Abell
    > Microsoft MVP (Windows Security)
    >
    > "dh" <a@mail.com> wrote in message
    > news:e3lvZn6mFHA.3960@TK2MSFTNGP12.phx.gbl...
    >> My machine is a standalone machine without any AD setting.
    >> I am planning to set different user groups with different security
    > settings
    >> and windows environment.
    >> From gpedit.msc, there are only Windows Setting->Local
    >> Policies->UserRightAssignments and Windows Setting->Local
    > Policies->Security
    >> Options working with User Groups. The other policies affecting all users.
    >> I need the very tight security user group for working only with one or
    >> two
    >> banking web sites, no other application runs, no application can be
    > install,
    >> and no communication to other sites. Limited ports. The cleaning process
    >> should run during login and logout. The point is to avoid the backdoor
    >> and
    >> keylogger.
    >> Another user group for general usage, like accessing chatroom site, ICQ,
    >> YIM, game.
    >>
    >> How can I do this?
    >> Any suggestion on setting user groups to acheive security?
    >> Thanx a lot
    >>
    >>
    >
    >
  3. Archived from groups: microsoft.public.security,microsoft.public.windowsxp.security_admin,microsoft.public.security.homeusers (More info?)

    Using both cable and wireless access at the same time won't accelerate the
    data rate. To ensure your "privacy", there are many fatcors to consider, and
    I would think that one who really wants to invade your "privacy" will be able
    to succeed. Try to see if you can isolate a LAN port on your router.
    Otherwise, make sure the local security policy and user rights block all
    access through the network to your computer. Put a password on your admin
    account (a complex one) and disable the guest account. These are basics....

    Finally I think promoting your PC to DC is like putting a V8 in a golf cart
    ;-)

    You might want to take a look at the Internet Explorer Admin Kit...(IEAK)

    "dh" wrote:

    > The OS is WinXP Pro.
    > So, will you suggest I promote my standalone PC to a standalone Domain
    > Controller in order to configure the specific group security requirement?
    > What is the default shell for IE? How can I access and change it?
    >
    > By the way, if I get internet access by wireless router, which has several
    > PC connect to it, which parameters should I set to ensure the other PC
    > connect to the same router cannot invade my privacy?
    > Can I use both cable access and wireless access at the same time to
    > accerlerate the data rate?
    > Thanx
    >
    >
    > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > news:OBcXNm9mFHA.1480@TK2MSFTNGP10.phx.gbl...
    > > What OS ? This is more approachable with XP Pro than it is with
    > > Windows 2000, mostly due to the addition of Software Restriction
    > > Policy in XP and later.
    > > However, local policy (i.e. stand-alone) is always applied equally
    > > to all accounts. User and group selectivity is a domain feature.
    > > There is a workaround, a very tedious workaround, for which one
    > > must plan carefully what policies are to be in effect for which accounts.
    > > In general I do not recommend it.
    > > Also, most things effected by local policy can be done with registry
    > > settings - and there are third-party tools to assist. You might want to
    > > look at Doug's little app for this (www.dougknox.com).
    > > Finally, from what you have said it almost sound like what you could
    > > do is to change the default shell from Explorer for the couple accounts
    > > that are to be restricted to only accessing the bank web sites.
    > >
    > > --
    > > Roger Abell
    > > Microsoft MVP (Windows Security)
    > >
    > > "dh" <a@mail.com> wrote in message
    > > news:e3lvZn6mFHA.3960@TK2MSFTNGP12.phx.gbl...
    > >> My machine is a standalone machine without any AD setting.
    > >> I am planning to set different user groups with different security
    > > settings
    > >> and windows environment.
    > >> From gpedit.msc, there are only Windows Setting->Local
    > >> Policies->UserRightAssignments and Windows Setting->Local
    > > Policies->Security
    > >> Options working with User Groups. The other policies affecting all users.
    > >> I need the very tight security user group for working only with one or
    > >> two
    > >> banking web sites, no other application runs, no application can be
    > > install,
    > >> and no communication to other sites. Limited ports. The cleaning process
    > >> should run during login and logout. The point is to avoid the backdoor
    > >> and
    > >> keylogger.
    > >> Another user group for general usage, like accessing chatroom site, ICQ,
    > >> YIM, game.
    > >>
    > >> How can I do this?
    > >> Any suggestion on setting user groups to acheive security?
    > >> Thanx a lot
    > >>
    > >>
    > >
    > >
    >
    >
    >
  4. Archived from groups: microsoft.public.security,microsoft.public.windowsxp.security_admin,microsoft.public.security.homeusers (More info?)

    How come the data rate wont accerlerate if I have two internet access
    account from the same ISP?
    The bandwidth should be doubled.
    The problem is how to configure these two PCI network card correctly.
    Thanx

    "Pickle" <Pickle@discussions.microsoft.com> wrote in message
    news:2D98F6F9-F006-434F-9AF6-74E6011A8164@microsoft.com...
    > Using both cable and wireless access at the same time won't accelerate the
    > data rate. To ensure your "privacy", there are many fatcors to consider,
    > and
    > I would think that one who really wants to invade your "privacy" will be
    > able
    > to succeed. Try to see if you can isolate a LAN port on your router.
    > Otherwise, make sure the local security policy and user rights block all
    > access through the network to your computer. Put a password on your admin
    > account (a complex one) and disable the guest account. These are
    > basics....
    >
    > Finally I think promoting your PC to DC is like putting a V8 in a golf
    > cart
    > ;-)
    >
    > You might want to take a look at the Internet Explorer Admin Kit...(IEAK)
    >
    > "dh" wrote:
    >
    >> The OS is WinXP Pro.
    >> So, will you suggest I promote my standalone PC to a standalone Domain
    >> Controller in order to configure the specific group security requirement?
    >> What is the default shell for IE? How can I access and change it?
    >>
    >> By the way, if I get internet access by wireless router, which has
    >> several
    >> PC connect to it, which parameters should I set to ensure the other PC
    >> connect to the same router cannot invade my privacy?
    >> Can I use both cable access and wireless access at the same time to
    >> accerlerate the data rate?
    >> Thanx
    >>
    >>
    >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    >> news:OBcXNm9mFHA.1480@TK2MSFTNGP10.phx.gbl...
    >> > What OS ? This is more approachable with XP Pro than it is with
    >> > Windows 2000, mostly due to the addition of Software Restriction
    >> > Policy in XP and later.
    >> > However, local policy (i.e. stand-alone) is always applied equally
    >> > to all accounts. User and group selectivity is a domain feature.
    >> > There is a workaround, a very tedious workaround, for which one
    >> > must plan carefully what policies are to be in effect for which
    >> > accounts.
    >> > In general I do not recommend it.
    >> > Also, most things effected by local policy can be done with registry
    >> > settings - and there are third-party tools to assist. You might want
    >> > to
    >> > look at Doug's little app for this (www.dougknox.com).
    >> > Finally, from what you have said it almost sound like what you could
    >> > do is to change the default shell from Explorer for the couple accounts
    >> > that are to be restricted to only accessing the bank web sites.
    >> >
    >> > --
    >> > Roger Abell
    >> > Microsoft MVP (Windows Security)
    >> >
    >> > "dh" <a@mail.com> wrote in message
    >> > news:e3lvZn6mFHA.3960@TK2MSFTNGP12.phx.gbl...
    >> >> My machine is a standalone machine without any AD setting.
    >> >> I am planning to set different user groups with different security
    >> > settings
    >> >> and windows environment.
    >> >> From gpedit.msc, there are only Windows Setting->Local
    >> >> Policies->UserRightAssignments and Windows Setting->Local
    >> > Policies->Security
    >> >> Options working with User Groups. The other policies affecting all
    >> >> users.
    >> >> I need the very tight security user group for working only with one or
    >> >> two
    >> >> banking web sites, no other application runs, no application can be
    >> > install,
    >> >> and no communication to other sites. Limited ports. The cleaning
    >> >> process
    >> >> should run during login and logout. The point is to avoid the backdoor
    >> >> and
    >> >> keylogger.
    >> >> Another user group for general usage, like accessing chatroom site,
    >> >> ICQ,
    >> >> YIM, game.
    >> >>
    >> >> How can I do this?
    >> >> Any suggestion on setting user groups to acheive security?
    >> >> Thanx a lot
    >> >>
    >> >>
    >> >
    >> >
    >>
    >>
    >>
  5. Archived from groups: microsoft.public.security,microsoft.public.windowsxp.security_admin,microsoft.public.security.homeusers (More info?)

    dh wrote:
    > How come the data rate wont accerlerate if I have two internet access
    > account from the same ISP?
    > The bandwidth should be doubled.
    > The problem is how to configure these two PCI network card correctly.

    Think of it this way..
    Yes - you have two "pipes" coming into your machine, each of these "pipes"
    even comes from the same "supplier".. BUT..

    You have one computer and (by design) that one computer can request stuff
    from either "Pipe1" or "Pipe2", but not both at the same time.

    While there are dial-up modems/applications out there for them that allows
    you to "bind" the two modems together, to my knowledge there is nothing like
    that for Network Cards... Yet.

    I can see the reasoning.. For a quick example, I can get 5Mbit down,
    768Kbit up for $49.99/month. If I wanted 10Mbit down and 1.5Mbit up, the
    price would do more than double - that is for sure. So being able to link
    my two connections together - even with a one-time hardware purchase or
    software purchase would be FANTASTIC. And if there is such a thing out
    there - publicize it here - but I do not know about it.

    --
    Shenan Stanley
    MS-MVP
    --
    How To Ask Questions The Smart Way
    http://www.catb.org/~esr/faqs/smart-questions.html
  6. Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

    Well, you would need to purchase Server in order to have a domain.

    I am not sure if there is or is not something out there to aggregate
    bandwidth between a cable and a wireless interface. In modem days
    there was ability to do so and in higher end network cards this is
    possible - but those are not the interfaces you have.

    From the range of your questions I feel that you may be getting in
    too deeply if you were to try altering the default shell for those
    accounts. Explorer is the normal default shell, not IE.

    The best way to protect your machine is to use a firewall,
    to keep it up-to-date on patches, and to keep those at the
    keyboard using a limited user account with sanity in their
    actions.

    --
    Roger Abell
    Microsoft MVP (Windows Security)

    "dh" <a@mail.com> wrote in message
    news:uuIW9P%23mFHA.2180@TK2MSFTNGP15.phx.gbl...
    > The OS is WinXP Pro.
    > So, will you suggest I promote my standalone PC to a standalone Domain
    > Controller in order to configure the specific group security requirement?
    > What is the default shell for IE? How can I access and change it?
    >
    > By the way, if I get internet access by wireless router, which has several
    > PC connect to it, which parameters should I set to ensure the other PC
    > connect to the same router cannot invade my privacy?
    > Can I use both cable access and wireless access at the same time to
    > accerlerate the data rate?
    > Thanx
    >
    >
    > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > news:OBcXNm9mFHA.1480@TK2MSFTNGP10.phx.gbl...
    > > What OS ? This is more approachable with XP Pro than it is with
    > > Windows 2000, mostly due to the addition of Software Restriction
    > > Policy in XP and later.
    > > However, local policy (i.e. stand-alone) is always applied equally
    > > to all accounts. User and group selectivity is a domain feature.
    > > There is a workaround, a very tedious workaround, for which one
    > > must plan carefully what policies are to be in effect for which
    accounts.
    > > In general I do not recommend it.
    > > Also, most things effected by local policy can be done with registry
    > > settings - and there are third-party tools to assist. You might want to
    > > look at Doug's little app for this (www.dougknox.com).
    > > Finally, from what you have said it almost sound like what you could
    > > do is to change the default shell from Explorer for the couple accounts
    > > that are to be restricted to only accessing the bank web sites.
    > >
    > > --
    > > Roger Abell
    > > Microsoft MVP (Windows Security)
    > >
    > > "dh" <a@mail.com> wrote in message
    > > news:e3lvZn6mFHA.3960@TK2MSFTNGP12.phx.gbl...
    > >> My machine is a standalone machine without any AD setting.
    > >> I am planning to set different user groups with different security
    > > settings
    > >> and windows environment.
    > >> From gpedit.msc, there are only Windows Setting->Local
    > >> Policies->UserRightAssignments and Windows Setting->Local
    > > Policies->Security
    > >> Options working with User Groups. The other policies affecting all
    users.
    > >> I need the very tight security user group for working only with one or
    > >> two
    > >> banking web sites, no other application runs, no application can be
    > > install,
    > >> and no communication to other sites. Limited ports. The cleaning
    process
    > >> should run during login and logout. The point is to avoid the backdoor
    > >> and
    > >> keylogger.
    > >> Another user group for general usage, like accessing chatroom site,
    ICQ,
    > >> YIM, game.
    > >>
    > >> How can I do this?
    > >> Any suggestion on setting user groups to acheive security?
    > >> Thanx a lot
    > >>
    > >>
    > >
    > >
    >
    >
Ask a new question

Read More

Security Microsoft Windows XP Product