Home => Michael In The News -> My Contribution to the Langa List

My Contribution to the Langa List
August 2003

The following letter from a reader and Fred Langa's comments appeared in the Plus (paid) edition of the Langa list on July 14, 2003:

How To Keep The Kids From Messing Up Your PC

Hi Fred: My kids have contaminated my computer with their games, downloads and other junk like Spyware on every partition (They like a fast machine.) I've had enough! I need a solution to keep them within one partition and preferably hide the other partitions. Computer is dual boot FAT 32 with internet sharing
    C=win98se for testing purposes
    D=XPpro
The other partitions carry the applications. Looking forward to your next newsletter. ---Con Deka

Win98 is not secure, and cannot be made so. There are cosmetic things you can do, but anyone on a Win98 machine can easily muck up the entire machine, if they're not careful (kids) or if they're malicious (crackers).

I suggest you use XP for the whole thing; set up limited-privilege guest accounts for the kids; turn off file sharing; and follow the advice in the XP help file on guest accounts and shared systems. Once set up this way, the kids can have safe areas in which to play, and they won't be able to do much, if anything, to damage your areas or the system as a whole.

Having just set up an XP computer for shared use between parents and children, I wrote to Mr. Langa about this and he published my letter in the August 18, 2003 Plus issue of the newsletter:  

Plus! Edition Extra: More On "Kid-Proofing" A PC

In item #13 in http://www.langalist.com/plus/newsletters/2003/2003-07-14plus.asp, we discussed ways of making your PC kid-proof by using XP's (or Win2k's) "Guest" accounts, which are intended for just that purpose---letting people use a PC without being able to do much harm to it.

But no solution is perfect. For example, the very restrictions that make guest accounts safe also limits their usefulness. So, reader Michael Horowitz suggests another approach:

Fred, I just spent days setting up an XP machine for multiple users for the same reason and it's not worth the trouble. The restricted kids accounts are sometimes too restricted. For example, they can't change their power profiles in the control panel. So you have to make the kids admin class users, log on as them, change the power settings, log off, log on as an admin user and make the kids restricted users again. On top of this, I've had problems with old software not designed for XP, not running well under a restricted userid, but working under an admin class userid.

To a partitioning pro, I suggest two copies of XP, one for the adults and one for the kids. The kids copy of XP can be made to boot up with a default user id, no password prompt and no userlist screen. The adults copy of XP can be secured by the usual userid/password. If each copy of XP is in a primary partition, pqboot from Partition Magic will shut down the current copy of XP, hide its partition, unhide the partition of the other copy of XP and boot the other copy. All with a simple GUI interface. 

An extended partition can be used for sharing files, it will be seen by both copies of XP. What you lose in disk space usage you more than make up in time and effort. The reader also mentioned they store applications in different partition from the OS. This complicates my suggestion and I don't see the advantage to it, even without this scheme in mind. My 2 cents. --- Michael

Thanks Michael! That way can work, and the end result--- one PC, one XP license, several users--- is the same whether you set up mult iple accounts on one OS installation, or separate multiple installations of the OS. But my guess is that this "two separate installs of XP" may be a technical violation of the license, and may therefore not be ideal.

I personally prefer the limited account option. Yes, it can be a minor hassle to have to switch accounts from time to time, but it's using the software in the way it was designed, and so may be a "cleaner" alternative.

Updates

Note: Newest entries are at the bottom of the page

September 29, 2003. I have tried, on a couple computers, using restricted Windows XP accounts for children on a machine shared with parents. Both were failures due to whole host of software that fails to run correctly as a restricted user. Mr. Langa's point about using the software the way it was designed is valid for Windows. The problem is the millions of software programs written before Windows XP introduced the concept of limited users. Not expecting to create this web page, I didn't keep detailed records on the failing software, but a couple come to mind: 

The most annoying was a USB based WiFi network adapter from D-Link. It connected to the WiFi access point/router when logged on as an Admin class user, but failed when logged on as a limited user. This happened for multiple admin users and multiple limited users. My solution was to make all users Admin class users. 
Update: A reader of this page wrote to say that he too fought this battle and had to set up users as members of the Power Users group. He was told by D-Link that they always assume full administrator rights on their products.  June 7, 2005. 

CD Anywhere is software the makes virtual CD-ROM drives so you can run programs off the hard disk that normally required a physical CD disc. Three versions of the software all failed to work correctly under Windows XP (you can read detailed gripes on my other web site - avoid this program like the plague). One version produced error messages every time a limited user logged on to Windows XP while it produced no errors when an Admin class user logged on. 

A reader of this page emailed that under Windows XP you have to be an Administrative user to get updated virus definitions with Norton Anti-Virus 2003 and to run a full system scan with it. According to this item on the Symantec KB, this is also true with Windows 2000 and NT4. 
LiveUpdate requires the use of an Administrator account under Windows NT/2000/XP

The installation instructions for Jump Start Second Grade (not sure which version of the program) warn that although it works under Windows XP, it has not been tested with limited userids. 

April 18, 2004. I accidentally stumbled across the fact that some configuration options for the ZoneAlarm firewall are tracked per user while other options effect the entire computer (for all users). I know of know way to learn whether a particular setting applies to just the currently logged on user or the entire computer, other than trial and error. 

April 21, 2004. FYI: I accidentally stumbled across the fact that the free version of MailWasher v2 (a great anti-spam program) which is only supposed to support a single email account, actually supports a single email account per Windows XP user.  

June 23, 2004  Paul Thurrott wrote about this topic (see Paul's First Week as a Limited User). It's a very interesting read. One thing he mentions is that because shortcuts are stored in the All Users account's desktop a limited user can't delete icons off their desktop.

November 15, 2004. Only administrators can log on in Safe Mode.

November 16, 2004. Limited User Accounts by Larry Seltzer in PC Magazine. The article mentions this: Certain Programs Do Not Work Correctly If You Log On Using a Limited User Account (from Microsoft, last reviewed November 30, 2004). 

February 9, 2005. nonadmin.editme.com is a web site for Windows users who want to learn how to run without Administrator privileges, and why they should do this. It has a list of articles in the press on this subject. 

Browsing the Web and Reading E-mail Safely as an Administrator by Michael Howard of Microsoft. November 15, 2004. Very interesting article about forcing your Internet-facing programs to run as restricted users even while logged on as an administrator.

March 12, 2005. A reader of this page wrote to say that the anti-Spyware program SpySweeper from Webroot can only run with Admin privileges (I have not confirmed this myself). 

April 13, 2005. FYI: From a limited account, you can set up a Windows Scheduled Task that will run as an Administrator. 

September 20, 2005. Web sites about this topic 

  • Security in Longhorn: Focus on Least Privilege by Keith Brown at MSDN. April 2004. Quoting: "...you can't install 90 percent of today's software unless you're an administrator. Users expect software to run without crashing, but 70 percent of software won't run properly unless the user is an administrator, and that's an optimistic number. "
  • Hall Of Shame A wiki page is dedicated to the thousands of applications that break when run as non-admin.
     
  • Certain Programs Do Not Work Correctly If You Log On Using a Limited User Account from Microsoft. Article ID : 307091 
     
  • www.threatcode.com Local Administrator/Power User  Non support of Patching Hall of Shame 

Fast User Switching and privilege elevation in XP by Serdar Yegulalp September 27, 2005 discusses running both a restricted userid and an admin userid at the same time and switching between them. 
 
michael @ michaelhorowitz.com Home => Michael In The News -> My Contribution to the Langa List
Created August 18, 2003 Last Updated: September 29, 2005