By Karen Kenworthy
DO YOU SHARE your computer with others? And do they leave sticky fingerprints on your keyboard, scramble your desktop and destroy your carefully tuned configurations?
Yes, bosses and coworkers can be a nuisance. Wouldn't it be nice to let others use your computer, without worrying about them destroying your life's work?
It can be done. Windows 3.1x users have their choice of several nifty shareware programs that prevent or control access to a PC, such as Windows Lock, Windows Multi-Lock and ProGuard. But if you've switched to Windows 95, even better solutions are available-and they're free!
If the folks who share your computer aren't especially clever or devious, Windows 95's User Profiles may suffice. Enabling this feature forces each user to log on before using the computer. Thereafter, any changes a user makes to the desktop are private-they won't affect the desktops of other users.
To enable User Profiles, double-click on the Passwords icon in Control Panel. Click on the User Profiles tab, and then on the option button labeled "Users can customize their preferences and desktop settings." Check both User Profile Settings boxes (for maximum protection from other users) and select OK.
The next time you start Windows you'll be asked for a user name and password. The first time you log on, Windows accepts any user name and password. After you log on, Windows automatically restores your choice of wallpaper, desktop fonts and colors, Start menu contents, and even desktop shortcuts and folder windows left open at the end of your last session. Windows also remembers each person's MRU (Most Recently Used) document list, persistent network connections and even settings within Windows applications (if the programs use the Registry to store those settings). Any changes you made to the desktop affect only you.
User Profiles are great tools, but they have some serious shortcomings. For example, they allow anyone to use your computer. Windows will gladly allow strangers to invent user names and passwords, and log on. They'll get their own private desktop, but they'll still be using your computer, running your programs, and possibly changing your files and hardware configuration.
Fortunately, Windows 95 provides an additional feature called System Policies that overcomes User Profiles' shortcomings. This feature gives you extensive control over what other users can do once they log onto your PC. With the right policies in place, you can specify which programs a user can run, prevent certain users from making configuration changes, even completely deny new users access to your computer.
System Policies are stored in special files called, not surprisingly, policy files. These files, which carry a .POL extension, contain entries Windows adds to the Registry whenever a user logs on. Each entry prevents the user from performing a particular task. For instance, one entry prevents a user from accessing a DOS prompt. Another consists of a list of Windows programs. The user may run only those programs on the list. Policy files contain separate entries for each known user and one set of entries affecting all unknown users, so you can tailor your policies to fit every situation.
The Windows 95 CD comes with System Policy Editor (POLEDIT.EXE), which lets you create and edit system policy files. To install it, double-click on Control Panel's Add/Remove Programs icon, select the Windows Setup tab, click on the Have Disk button, install from the CD's \Admin\AppTools\PolEdit directory and specify the file PolEdit.inf. During this installation you'll have a chance to install Group Policies in addition to the System Policy Editor. Don't install this optional component unless your computer is on a network with a Windows NT or NetWare server and your administrator plans to implement Group Policies.
If you don't have the CD-ROM, you can download the System Policy Editor files from WinMag's online locations listed in this issue's Windows Online page. Download the files into a temporary directory and then follow the installation instructions above (substituting the temporary directory's name for the CD's directory).
Once you've installed the editor, you can use it to create a simple policy file. Let's say you have two authorized users, Karen and Bob. Your policies allow Karen to do anything she chooses, but Bob can run only one program, Windows' Calculator (CALC.EXE).
First, select System Policy Editor from your Start menu. Its exact location is Start/Menu/Programs/Accessories/System Tools/System Policy Editor. Once the editor starts, select File/New. You should then see two icons in the program's main window, one labeled Default User, the other labeled Default Computer.
Now tell the editor about your two authorized users by supplying the user names they enter when they log on. First, select Edit/Add User and add a user named Karen. Then select Add User again, and add Bob. You should now see two new icons in the editor's main window, one for each user.
By default, the policies in effect for a user allow them to perform any task or action, so you won't have to make any changes to Karen's policy entries. Bob is another matter. You must severely limit what he can do. Start by double-clicking on Bob's icon in the editor's main window. You'll see a Bob Properties dialog that contains a hierarchy of available policy settings. At the moment, you're interested in two settings found at System/Restrictions: "Only run allowed Windows applications" and "Disable MS-DOS prompt."
To activate these policies, place a check mark next to each. You may have to click each box more than once because these check boxes have three states. When checked, the selected policy will be in effect the next time this user logs on. When empty, this policy won't be enforced. But when a check box is gray, the policy's state will revert to whatever was in effect the last time the user logged on. In effect, a check mark causes a Registry entry to be made, a clear box causes the corresponding Registry entry to be erased, and a gray box causes any corresponding Registry entry to be left alone.
After you check the box labeled "Only run allowed Windows applications," select the Show button and enter your list of approved programs. For this example, enter only one, CALC.EXE. (In real life, you may want to expand this list a little.) Once you enter all of a user's policy settings, select OK to return to the editor's main window.
To save the policy file, select File/Save As and save your policies in a file named C: \Windows\Config.pol. Before you test your new policies, you must force Windows to process your policy file each time a user logs on.
This requires a change to Windows' Registry. But instead of the usual Registry editing tool (REGEDIT.EXE), use a special feature of the Policy Editor. Select Open Registry from the Policy Editor's File menu and double-click on the Local Computer icon that appears in the editor's main window. Then travel through the hierarchy of policy settings until you reach Local Computer/Network/Update/Remote Update.
Place a check mark next to the Remote Update setting in the resulting window. Then, from the listbox labeled Update Mode, select "Manual (use specific path)." In the text box labeled "Path for manual update" enter the full path of the .POL file you created a moment ago (C: \Windows\Config.pol). Finally, select File/Save and exit the Policy Editor. The next time a user logs on to your computer the new policies will be in effect.
If you're wondering why this Registry entry is named Remote Update, it's because it was originally intended to allow policy files to be kept in a central location (usually a server) on a large computer network. You're fooling Windows into reading a policy file stored on your own machine.
To test the new policy file, select Start/Shutdown/Close all programs, log on as Bob and try to run any program other than Calculator. You should then see a message that reads, "This program cannot be run due to restrictions in effect on this computer. Please contact your system administrator."
This simple policy is just the beginning. You can also block users' access to Registry editing tools, remove certain items from their Start menus, prevent them from accessing the Control Panel and a lot more.
Click Here to see a
14.9KB bitmap image of artwork
which goes with this article, entitled:
Bob Must Be Stopped
Now you know how to control the activities of known users. But what about intruders? There are two doors you must close before your computer will be safe from all unwanted changes.
First, you have to edit the policy file you created earlier. This time, instead of setting policies for one of the known users, set policies for "everyone else." Double-click on the icon labeled Default User in the editor's main window. Set policies as before to restrict access, then save the file.
Now, what about folks who don't log on at all? Windows' log-on dialog contains a Cancel button. Selecting it or pressing Esc aborts the log-on procedure but still allows users access to your PC. Because this user never logs on, entries in your policy file have no effect. This is a job for the System Policy Editor.
First, bypass the log-on dialog yourself. Don't enter your user name or password; just select the Cancel button. Now, run the System Policy Editor and select File/Open Registry. When the Local User icon appears in the editor's main window, double-click on it and you'll see the same hierarchy of policy settings you saw before. This time, though, changes you make aren't stored in a policy file for later processing; they're made directly to the Windows Registry. However, they affect only the current user'a user with no name who bypassed the log-on procedure.
Set any policies you deem appropriate, then select File/Save to make them permanent. With both doors closed and appropriate policies in effect for all known users, unexpected changes and tampering should be a thing of the past. Now, if I could only find a way to clean that sticky keyboard!
Contributing Editor Karen Kenworthy is the author of Visual Basic for Applications, Revealed! (Prima Publishing, 1994) and the manager of WINDOWS Magazine forums on America Online and CompuServe. Contact Karen in the "Power Windows" topic of these areas. To find her E-Mail ID Click Here