Restricting user hard drive privileges
I have been directed to prevent my users from saving data to the hard drive. I had understood that this could be done in Safe Mode. I booted into Safe Mode and selected Windows XP. Then I:- Opened my Administrator account,- Opened My Computer,- Right-clicked on Local Disk © - Properties - Security - Users and allowed only Read & Execute, List Folder Contents and Read.I rebooted into the User account, opened Word, typed some letters and clicked on File - Save As. The save occurred. I confirmed this by opening Windows Explorer and found the file. Failure.I repeated the above steps and clicked on Advanced. I found a list of accounts, three of which pertained to the users. I disallowed everything and then allowed them only the read and execute entries.I rebooted into the User account, opened Word and proceeded as above. The results were the same. Failure.I’m at a dead end. Is it really possible to restrict the users as I endeavored to do? If so, please provide detailed directions.Thank you.BTW,we will not be allowed to access the Internet until and unless I accomplish this.-1 person needs an answerI do too
July 9th, 2010 3:17am

There's no easy way to do this. The best way to discourage this is to allow users to create new files only in a given folder, which is wiped periodically or at logon. Another way to do this is with disk quotas, which will prevent users from saving more than a given amount to the drive.If you have their profile's stored to another location other than "C", then you could do this via permissions.Go to the root of "C" in Explorer as Administrator, and right-click on C drive and go to the Security tab. Then just go to the entry "users" from the list and modify it's rights just to include read and execute and clear the other checkboxes.However, removing the ability for users to write to anywhere on "C" drive can also stop some programs stored in the "Program Files" folder on "C" from not storing settings correctly. This doesn't happen very often as most program's settings are either stored in the SYSTEM managed registry or in a file stored within the users own profile (usually "App.. Data" or "Local Settings\App.. Data").If you haven't got their entire profile stored on another drive then I wouldn't recommend doing that as users really must have Read and Write access to their own profile folder stored in "C:\Documents and Settings\someuser".In that case you could still grant only read/execute rights access to the entire drive but then you must remember to re-grant full access to their own profile folder again."That which does not kill you, only postpones the inevitable." -Chaos
Free Windows Admin Tool Kit Click here and download it now
July 9th, 2010 3:44am

Thanks for your response. I followed your directions and opened the Security tab. The first thing I did was disallow everything in the list on the right. Then I enabled the write privilege in the left list. (Was this wrong?) Then I switched to the user account, opened Word, and created a small document. Alas, the Save As operation I performed worked. I opened Windows Explorer and found the file.Following different advice, I opened gpedit.msc and proceeded as follows: Computer Configuration / Administrative Templates / System / Disk Quotas. I enabled all six items. Then I set the Default quota to 0 KB. This didn’t work either.Here is some background. I work in a VA hospital where I run a computer room for a group of disabled veterans. The program treats in-patients and out-patients. Because of the latter, the hospital considers it to be an out-patient program. As such, we get zero technical support. Last year a serious security breach of the hospital's server was uncovered. The crackdown I mentioned followed. In addition, our Internet access was terminated. I was told that it would not be restored until and unless we comply with the new rules, which include preventing users from storing anything on anything. I have been trying for weeks to accomplish this. I have asked for help from a number of free tech support sites. I was referred to programs that claim to disable the floppy, optical and USB drives, though I haven’t installed them yet. The hard drive is the big obstacle. The in-patients live at the hospital for three months, during which they are pretty well cut off from family and friends. Email is their best way of keeping in touch. Without the Internet, they are out of luck. Right now I am also.
July 13th, 2010 1:28am

Ok, do as above, ONLYCheck(On the LEFT side [Allow])ReadExecuteAnd list folder contentsThat's it.Make sure you do this for the users category.Click apply, and then ok. Young and learning...Have mercy - ChaosIf this post resolves your issue, please click the "Mark as Answer" or "Helpful" buttons. This helps other users with similar problems find the answer faster.
Free Windows Admin Tool Kit Click here and download it now
July 13th, 2010 1:33am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics