Re: XP/Home Security issues

From: Kent W. England [MVP] (kwe@mvps.org)
Date: 06/10/02 

From: "Kent W. England [MVP]" <kwe@mvps.org>
Date: Sun, 9 Jun 2002 17:57:05 -0700

Kevin;

I don't see you as being argumentative. I said that Power Users couldn't
write to the Program Files and that was a mistake. I'm always saying
things like that about XP Pro when I am logged onto Home and can't check
myself. :-)

To debate the issue a bit further, if you make the account a limited
user (aka, User group member) and then give users permission to *one*
program files folder, that is the most limited expansion of their
privileges, which I like, and is why I recommend that as the solution
for the problem-at-hand.

If you make them Power Users, 1) you can't do that in Home and 2) you
expand their powers to all Program Files folders and allow them to
install their own software. Beyond that, I'm not clear on what Power
Users can't do that admins can. One thing they can't do is take
ownership of folders that belong to Administrators group and that is
very important for maintaining the integrity of your system. They can
write to the Windows folder so they can change system files but windows
file protection will stop most of that.

So I like my fix better than yours, but yours is workable as a fix for
the problem-at-hand and I said it wasn't, so I have to correct that
error before someone acts on it.

We can discuss which solution we like best as much as we want, once I
correct my error. Thanks for not being a horse's ass about my mistake.
There are others on these groups that leap on any error in a kind of
religious ecstasy of oneupsmanship that is tiresome. Your politeness is
most welcome.

Home has a runas feature, but since that means giving away the admin
password, it's best used as a tool for admins to use from a limited
account, but with fast-switching, runas isn't as useful as it once was
since you can fast-switch to an admin account, do your thing and then
switch back to a limited account.

Home doesn't have Power User since that is a feature that is backward
compatible with Win2K Pro and Home doesn't have to be backward
compatible with win2K Pro as XP Pro does. This is a good thing, since I
don't think that Power Users are all that useful a distinction, but it's
there for the enterprise folks if they want it. 

--
Kent W. England, MS MVP for Windows XP
(Please respond only in the newsgroup)
Kevin Davisł <zkevindavisz@ask.me.for.my.address.if.u.really.want.it>
wrote:
> On Sun, 9 Jun 2002 11:27:25 -0700, "Kent W. England [MVP]"
> <kwe@mvps.org> wrote:
>
>> My mistake. If you have XP Pro, you can put users in the Power Users
>> category and they have write access Program Files and may install
>> software. If that is too much power, then something like my file
>> permissions hack is more suited, but setting the user to Power User
>> is simpler.
>
> I'm not trying to be argumentative, just trying to get a better
> understanding between the distinction here.  Aren't you essentially
> giving them that same power with your solution?  Is the Power User
> able to alter system files?
>
> However, since the context was most likely applied to the user of the
> Home Edition, it probably is a moot point.  I am wondering why the
> Home Edition doesn't have such a user type.  It would seem that it
> would be useful.  Does the Home Edition have the "Run as..." feature?

Relevant Pages