Computer security for young kids

[Rezag3000]

I'm trying to set up my computer in such a way that when my younger brothers use my computer, they cannot install anything or change any settings, but I would like them to be able to use previously installed software.

Is such a set up possible? If so, how?

Thanks

 

[FishAk]

What operating system?

I'll assume Windows 7...

In that case, yes and no.

By assigning your brother his own limited (regular) user account, he can run any already installed program that doesn't require administrator rights to start. You can further limit which programs are allowed to run through AppLocker, or Parental Controls (depending on the version).

By the way, for security, you should also be using a Limited account for normal use, and only use the Admin account when required.

For any program that requires administrative privileges to start... well you are just SOL. Windows has no method for an administrator to allow limited users to run programs that require elevation without providing the user with administration privileges. Of course this act defeats all security measures offered by Windows.

 

[smakme7757]

What operating system?

By the way, for security, you should also be using a Limited account for normal use, and only use the Admin account when required.

For any program that requires administrative privileges to start... well you are just SOL. Windows has no method for an administrator to allow limited users to run programs that require elevation without providing the user with administration privileges. Of course this act defeats all security measures offered by Windows.

That's not true. With UAC enabled you can run as a standard user while elevating your user when needed by giving windows your admin password when needed. If you don't have the password you cannot elevate your user, but if you do have it then it's not a problem (Vista/7).

 

[Rezag3000]

My operating system is windows 7.

I've experimented with UAC before. Even with it turned all the way on, it seems like a limited user can still install applications....

 

[FishAk]

That's not true.

Which part?

Perhaps you didn't notice that the OP wishes to protect his computer from another user. If the other user has only a limited account, he can not run any program, or function, that requires elevation. If the OP wants to allow the limited user to run a program that does require elevation, he can not. Instead, he must give the user the password to an administrator account. At that point, that user is no longer restricted to the limited account. He is no longer a Limited User. He will be able to perform any function, or install any program just as any other administrator can. In fact, the (now unlimited) user will even have the ability to lock the OP out of his own computer. Surely you don't consider this to be secure in some way.

My operating system is windows 7.

This is understood from your first post. I tried to ask; which version of W7?

Windows 7 Home Premium and below, doesn't have AppLocker. Ultimate does. AppLocker is very effective, and easy to configure, so that only white listed programs, installers, or scripts can be run by specifically chosen users. Parental controls might be close, but I haven't had to play with that utility. Another option, from XP up, is Software Restriction Policies. This is more cumbersome than AppLocker, but still very effective.

 

[spikespiegal]

Restricting the user from local admin rights is 90% of the battle. You can add additional 'sandboxing' restrictions like application lock-down, but restricting admin rights is most of the battle. Why we're even discussing this in 2011 is frankly distressing.

UAC is nothing more than a speed bump and shouldn't be in the context of what the OP was asking for.

{waiting for some blue-shirt-wannabee to mention SpyBot and a software firewall}

 

[mechBgon]

For the OP's scenario, I'd use either Parental Controls (on Home versions of Windows) or Software Restriction Policy (on Professional). With Parental Controls, you can whitelist all the existing executables on the system in one swoop, it's a snap. Anything not already there, will require you to override.

To do this, you should create an Admin account and give it a password, then reduce all other accounts (including yours) to a Standard User. I think it would also be best to password-protect your own Standard User account, and create a separate Standard account for your noObs to use. That way they're not getting into YOUR stuff.

If you'd like to streamline the Admin'ing, I can vouch for this fingerprint reader: http://www.amazon.com/Eikon-Digital-.../dp/B001BCC0YA Once it's learned your fingerprint fairly well, you can just swipe a finger on UAC prompts. Works with both 32-bit and 64-bit Windows. I find my middle finger's the easiest one to use... sorry computer, nothing personal

It couldn't hurt to harden your security in other ways too, here are some tips I compiled: http://www.mechbgon.com/security

 

[Wyndru]

To lock them from installing sw, I've heard of people limiting access to common installers. I've tried this with varying success by manually limiting user access to the windows installer, although I believe there is a way to change where windows looks for the installer, so it can be bypassed via registry, so I lock it down so they can't access or have rights to that.

Settings lockdown, I usually just lock them out of control panel, display properties, IE options, firefox settings (via an addon), setting the wallpaper, disable command prompt and the "run..." option, and a few other things. I do it all through the registry with a script, but it can be modified within group policy editor.

 

[Polraudio]

Use MMC to set a policy. you can chose everything they can/cannot do. I set my younger sisters up so limited all they have access to is the internet. They have no access to install programs, change background, resolution. They cant even access my computer, the only link that is on the start menu is documents. Everything else they try to gives them an error.

type mmc in run or in the search bar and hit enter. You may have to look up a tutorial on how to use it.

Note: This should work with XP, Vista, and Win7. Any version of either of them.