Truecrypt allows you to unmount the volumes. I have not messed with the XP encryption much but there was not an obvious way to turn off the encrypted folders. On the other hand my reading of the link I posted seemed to indicate that more than administrator access was needed to get at the files.
I just tried TrueCrypt and it looks like it does what the OP wants. But you do have to unmount the volume when you pop out for a cup of joe.
The microsoft solution looks like it is setup for a enterprise application where you are trying to keep the data from falling into the wrong hands if the laptop is stolen but also allow access by a chosen set of people without them needing to know all the users passwords.
Cite? My understanding is that even admins can’t access encrypted data on an NTFS volume. The files are encrypted with a key tied to your login password; if an admin changes your password without knowing the original, your encrypted data becomes unreadable.
I believe you (“you” being an admin) can create data recovery agents that will be able to access encrypted files if necessary. I think (IIRC) you have to create DRAs ahead of time, though, so it should be one of those things you take care of when you’re first planning and implementing security policies for your domain.
This describes some differences between the encrypted file system in Windows 2000 and XP. In Win2k, the administrator was a DRA by default, and someone had to be assigned as a DRA in order for encryption to work. In XP, encryption works without a DRA, so your data is safe unless someone set up a DRA without your knowledge before you encrypted it - not really an issue for a PC that you control.
Right. I was really responding to the “your encrypted data becomes unreadable” bit. If you somehow become unable to decrypt the files, the data will be unreadable unless a DRA is set up to access those files. Which is another example of why backups are important.
Of course, the real issue that SweetHomeColorado raises is still best handled by locking the PC in some way rather than just setting up file encryption.