up limited user profiles
9 August 2007
One of the best ways to protect Windows XP and Vista machines from
viruses and spyware is to set users as Limited Users.
This means that the day-to-day user can change their own settings like
passwords and wallpaper but can't change system settings. With no access
to the system, spyware can't mess up the entire machine.
Unfortunately Windows doesn't make it easy.
The biggest problem is this sort of security was unknown in earlier
versions of Windows like 3.1 and 98 so a lot of software and hardware
was designed without taking this into account.
So there are some tricks to watch when setting up a limited user profile.
To setup and change user accounts it's necessary to go into the
user accounts settings of the control panel. To do that, click Start,
Settings and Control Panel. Then choose User Accounts.
Warning! Due to a bug on some machines,
we don't recommend running this procedure on existing profile. If
you do, you may find the user's existing data and settings disappear
(although they aren't lost). As with everything, you should backup
important data before changing system settings.
Setup an Administrator account
At least one user profile has to be an administrator that can controls
all the settings and the other accounts, including the passwords. So
choose an existing account and check it is already an Administrator,
it will say so under the name.
Then add a password by clicking Create
Password and following the instructions. It should also be
something other users, particularly the kids, won't easily guess.
This password is important. If you forget it, it can be difficult
to get it back, so we'd recommend running the create password recovery
disk (click create disk and follow the prompts).
Create the other accounts
First create the accounts for other users by clicking Create an account.
The wizard will ask you what type of accounts you want them to be and
this stage you should choose Limited User.
Run the new accounts
At first the accounts have to run so all the initial settings and security
permissions are set correctly. Log in as a new user, but DON'T run any
software or go onto the Internet. Cancel any wizards that try to run
and then log off.
Change the new accounts to Administrators
The reason for changing the accounts to administrators is that some
software (including Microsoft Office!) needs administrator rights the
first time you run them.
Log off the new accounts and go back into the Administrator account.
Open in the Administrator profile and open User Settings. Switch
the other accounts from Limited User to Administrator through the
Change My Account Type. Then log off and log back into each
of the new accounts
Set the new account settings
Running each account as administrator, setup all the software and create
users settings like email addresses. Check printers, iPods, email and
web access are working and check every program you think the user might
Switch the user account
Having set everything up in the account, you can then switch the user
to being a Limited User. Open in the Administrator profile and open
User Settings. Switch the other accounts from Administrator to
Limited User through the Change My Account Type.
Check the profiles
Once they've been changed, you should check each profile to see the
programs are running. If you find a program that isn't, you'll need
to check with the manufacturer's website to see how you can work around
this. It might be necessary to change the user back to an administrator
while you fix the program.
One of the big frustrations is that some software and hardware will
not work at all in a Limited User profiles. The only solution we can
recommend is to find a replacement product or only use it on a machine
without Internet access.
If this all sounds complex, it is. Microsoft dropped the ball badly
with Windows XP security and we are seeing the results in the massive
spyware epidemic. Apple have handled security far better and we recommend
buying a Mac to prevent music hungry teenagers from destroying your