Ferret said:
I have folders that aren't part of the '*username*/public' structure in windows. It's what used to be 'My Documents' (I assume); I've never used them. At the moment I have a folder that I get to via my D drive, with subfolders set up how I like them to be set up. I'd like to protect folders of files I don't want other people to be able to get to when they use a guest account I created on my computer (Say plans for world domination).
Will I have to move my files and folders to the standard Windows ones under my username or will I be able to protect them where they are?
OK, well you don't need any 3rd party / encryption software for this unless the sort of users you have might be those black hat hacker types or your plans for world domination might get you banged up in gitmo
I'm going to write from the experience of XP but Im sure its similar in Vista.
Basically all file access permissions on your machine are controlled by users and groups and generally a 'deny' overrules an 'allow'. You have some built in users and groups too. One is the one administrator account, one is a guest account. There is a local service account and a network service account. There is another which is the creator/owner of that single file too which is not strictly an account but more of a file status thing. There are loads of groups too but there are the 'administrators' (note plural) group and the 'users' group to name two important ones.
To modify the users and groups you generally become administrator, go to the start menu, control panel, administrative tools and then local users and groups. You can then look at all users and all the groups. You can disable the guest account by clicking on it and there is a tickbox there. You can also add users and add or move yourself into other groups.
On the folder of interest get the security tab open. Generally you want to leave everything alone except the 'users' group. For directories that you want to make private to all users except administrators etc then get rid of the users group in the security setting for a folder. Now since you are one of the many users who will get disabled from that folder then you should add in your single username in there before you hit the OK now do it button.
Two more complications... Sometimes folders inherit permissions from their parent folders. In that case you can only add or deny extra settings and all parent ones are on top. Remember that deny is more powerful than allow. But if you deny 'users' then even by adding your own username you will still be a user and thus denied. So you should stop it inheriting security settings and a dialog box comes up asking whether you want to copy the parents settings instead. Click the yes, let it finish and then get rid of users and add your single username.
Lastly, there is the actual permissions themselves - list files, read, write etc. I would either tick all the boxes or untick all the boxes. You can allow people to look at the files and read them but not modify them etc. When you come to add your single username it will probably come up with a lot of blank boxes so tick them all at that point.
As a tip I would suggest you do this just for one folder which is like the root of all your own user data. Dont try to shore up security of your machine generally with this unless you know what your doing. It can be done but you can also stop services and other important bits of windows from being able to use important files and things start to fail.
I would also give yourself two accounts. One is your general login account and create another which is a general user one to test it with. Presumably you also have the administrator account too. You should use that just to make proper admin changes and not when generally using the machine.
In case you are wondering, I believe you cannot totally stop the administrator account from looking at your files but you can stop the administrators group from doing so. If that sort of thing is what you need to stop then its 3rd party tools time. I'm sure a whiz hacker type could tell you more but thats way more than enough for now.