XP: restrict a users access to a harddrive?

My parents and brother share a computer between the 3 of them; parents mostly for email, brother for god-only-knows-what-that-attracts-tons-of-spyware. The computer has two HDs in it. My question is this: is there any way to set it up so that one user account has access only to HD1, and another user account has access to only HD2? The idea is that none of my brothers computer-ruining tactics would affect my parents use of the computer (I have run both Ad-Aware and the Microsoft Antispyware program, and an antivirus program, but it still has lots of things that didnt get detected…). If this can’t be done through the built-in XP users, is there any other way to do it? I took their computer home with me and assured them I would find some solution for them by Monday, but now I’m not so sure…

Here’s something that might suit your needs:

Go into My Computer
Right-Click on the Hard-Drive you want to change the permissions on and select “properties”
Select the “Security” tab
If the usernames aren’t shown in the “Group or user names” box then click “Add” and add them manually (a simple case of entering the username in the box at the bottom and clicking “Check Names”.
Now select the user account in the “Group or user names” box and use the check boxes in the bottom window to state what that user can and cannot do on that hard drive.

You can also set permissions for individual folders in the same manner.

Aside from that suggestion I would suggest buying a firewall and anti-virus package such as Norton Internet Security, that should prevent the malware from taking root on your system.

Right-clicking on the HD in question gives me two options (that actually matter): Sharing and Security, and Properties. Neither of these has a security tab though. The closest thing is a Sharing tab, but I don’t see anything in anywhere that I can add/remove users, or set any user permissions. The only related thing from the Sharing tab is a little note that says “to share this folder with other users of this computer only, drag it to the Shared Documents folder” (the ‘only’ meaning, as opposed to sharing it on a network, the other options in this tab).

Go to the Tools menu, click on Options, View, and then scroll to the very bottom of the list. Uncheck “Use simple file sharing”, click OK, and then try mittu’s procedure again.

If your brother is determined to screw up the system, there is nothing you can do that can stop him. Any settings that are set up in mittu’s case can be undone fairly easily by anybody with physical access to the computer and some basic tools, with step by step instructions googlable.

I don’t think the brother is intentionally trying to cause damage to the computer, he is just downloading viruses along with whatever else he is downloading. So in this case the steps I detailed should (hopefully) be enough, the brother has no reason to try and get around the block.

He probably isn’t doing it maliciously. But his indiscriminant downloading behavior is the root of the infestations. What you propose to set up limits his ability to continue his normal downloading behavior. He then has the choice to just accept those limits, or work around them. My guess is that if he’s inconsiderate enough to not modify his behavior by choice, then if you try to force him to he’ll just work around it.

The OP is probably better off making use of XP’s System Restore functionality to periodically revert the PC to a virus/spyware free state.

I’m just guessing here, and the real computer geeks can tell me if I’m nuts or not, but would it be worth considering setting up the machine to dual boot? Even if the brother only has access to one drive, he’s still going to infest the OS with spyware and mess the registry up beyond recognition eventually.

Install a copy of Windows on each drive, each being bootable. Create user accounts for each family member on both OSes, leaving the bro off the “clean” version of the OS.

That way the Ps can use either one and can boot to their OS anytime they want to avoid the slop in his section.

Granted, once you have 2 OSes install, I’m not savvy enough to explain how to prevent the other drive from being visible to booted partition, but I’m sure it’s do able. This probably isn’t the most elegantsolution, but it’s the best way to (and only I think) to truly keep the brothers spyware and viruses from damaging the Ps stuff.

Instead of dual-booting, would it make more sense to have swappable hard-drives, and load User One’s installation of XP on one drive, and User Two’s on another?

Alternatively, could you have NO operating system on the hard drive, just partitions of users’ data, and give each person a bootable CD with their base OS? Can XP do ‘live’ bootable CD images similarly to what Linux does?

The other way to deal with this would be to get a separate computer for your brother.

Given as cheap as they have become, this might be worthwhile, if it saves you from having to do this system cleanup on your parents computer every few months. And maybe you could claim it’s your early Birthday present for him?

Of course, if he continues his indiscriminate download behavior, soon he’ll have the same problem on his machine. But then it’s his problem, and won’t interfer with your parents computing.

The problem is that there’s only one Registery on XP, which will still get screwed up by the spyware.

The very first thing the OP needs to do is to restrict the privileges of brother’s account. You want to give him User level privs, not Admin. Then he won’t be able to install most software. If you are running XP Pro then you can set file level permissions to further restrict him.

But if the OP’s brother is causing so much trouble, surely the best answer is to ban him from using the computer in the first place? At least until he can demonstrate he will be a responsible user.

Unless, of course, he spends two minutes googling for the instructions on how to reset his privileges.

Machine based privileges are useless if the person you’re trying to restrict has physical access to the machine.

You could get a second computer with a KVM switch so you can use the same mouse, keyboard, and monitor on both. Then just press the “Mom/Dad” button to switch to theirs.

Or dual-boot the computer.

This seems to obvious for it to be the correct answer but I will throw it out there if only to find out why it won’t work :slight_smile:

Couldn’t the OP just buy some anti-virus software and a decent firewall? I personally used to get lots of viruses on my PC and spyware from programs such as kazaa but since installing Norton Internet Security (which includes firewall and anti-virus programs) the problem has been stopped dead. If you have the active scanning or whatever it’s called activated then the anti-virus software scans files you download before you can use them so you are never in any doubt about a file’s true content.

So why wouldn’t that work? I’m pretty sure you can set a password on norton to prevent the brother from changing settings.

LordVar mentioned the registry problem, and reconsidering I suppose the original idea wouldn’t work anyway, for that reason. Dual-booting would work, but I think it’d be easier to just shoot my brother or something… :smack: So…
If Mittu is right about how well Norton works, I think I will reformat and get them a subscription. That seems like it would be the easiest thing for me and for the parents. Much thanks for the help.
As a side note: the brother isnt doing any of this on purpose, he’s just a sucker, and doesn’t know what isn’t good for him. I don’t think he will try to bypass any securities that are there.

What registry problem? “Limited” users in XP cannot write to the registry, except under the “Current User” hive, which wouldn’t affect the parents in any way.

This is one of the main reasons why using multiple limited accounts and one admin account is so painful; limited users can’t install anything because they can’t write to the registry.

Quite, but all the actions you reference require an additional level - and detectable - of activity.