Introduction

Since I first wrote this in early 2001 I've added machines running OS X, Windows 2000, and Windows XP Pro, very recently I've built another Windows 98 machine strictly for children's educational software and games (it has no net connection, so it's relatively secure). Of all these machine OS X and Windows 98 have the most advanced childproofing capabilities, but the implementation in Windows 98 (and Windows 95 before it) is very treacherous. This page describes the Windows 98 implementation; there's a small section describing Windows 2000 childproofing, but Win2K and WinXP Pro really need a network server to be made childproof.

In the mid-90s Microsoft tried to use a combination of User Profiles and System Policies to make Windows 95 look a bit like a multi-user environment and to provide some fragment of machine-level security. It didn't work very well even then, and it the combination of IE and Active Desktop really broke Windows 98's security model. Even advanced Windows texts rarely discuss these capabilities and web searches find few support pages. Documentation is hidden in the Windows 98 Resource Kit on the Windows 98 CD-ROM. Nowadays it's used mostly in schools and in computer retail stores.

There are a lot of problems with Microsoft's Profiles/Policies hack. Window's applications were not written to run in a multi-user environment. Microsoft broke the profiles/policies hack when they introduced IE 4/5 and active desktop. The hack causes the system to constantly change registry settings, with a likely increased risk of fatal registry corruption (regicide). There is a very high risk that in trying this you will make your machine inoperable and, at best, you will have to restore the registry by hand. Above all, the standard poledit implementation is for a NETWORKED machine, not a standalone machine.

If your foolish enough to try this, this page may help you a bit -- or it may induce disaster. Don't complain to me when your machine is a hopeless wreck and you lose every single document you ever had resulting in loss of job, home, family, etc. If you have suggestions, additions, corrections please email them, I'm unlikely however to be able to answer requests for help.

Don't try this unless you know a LOT about Windows AND DOS, have a full system backup, and know how to restore the registry from a DOS prompt. You should be sure to have a working boot disk.

Limitations and Problems

General

If the floppy drive is available you can boot off it and bypass the profile settings. You might choose to edit the profiles, for example.
I think if you hold down the F8 key on startup you might get an option for DOS prompt. (I'm not sure, my system is Dual-Boot and I just get the Win 2000 menu.) Note however there may be a policy editor setting to block DOS booting.
You can't block the creation of new users during logon (user enters a new name) unless you have a server and validate users through the server. You also can't stop Ctrl-Alt-Del restarts.
This functionality is not fully compatible with active desktop (active desktop, btw, also breaks the unrelated screen saver hot spots). If you import the correct admin templates there are settings for turning off the active desktop, but they don't remove the menu option. If you isntall the advanced templates there's an option to remove "folder options" setting from the Start menu, but it doesn't work on my system.
Microsoft doesn't really support it; this is an old and creaky approach to security.
Applications don't expect to run in this type of environment. In fact all applications are installed for all users, the only limited control is the ability to reach and run the applications. Very few applications actually handle user-specific settings properly.
The underlying OS is a single-user security-free operating system (DOS).
If you allow access to IE and want some semblance of security, you probably need the IEAK (Good luck!) but you can do a fair bit with policy editor if you import the IE admin templates (.ADM).
When using profile editor some changes take effect as soon as you log out, others require rebooting. In general reboot to be sure your changes work as expected.

Things that should be user-specific but are shared

All the settings for the "machine" (does this correspond to edits in the system.dat registry file?) are shared by all users. They seem to apply BEFORE the login occurs.
The system tray always loads and everyone gets the same tray except for items belonging to the StartUp folder. You can't limit access to it to the system tray.
The screen saver settings are very confusing, perhaps because active desktop controls the screen saver on my machine and it's not fully compatible with policy editor. I can't get a password protected screen saver setting to work fully for my default users. It's a mess, and I suspect this is one of those area where active desktop has messed up policies.
I think the SendTo options stay the same for everyone, but I think you might be able to disable the context menu.
Even though users have Start Up folders and Program folders they don't get used. This may be a side-effect of specifying hard coded paths for the default user profile. If you change wallpaper in a session your change is lost on logoff.

Networking and a few things that work

if you've set up file and printers shares, these will be mounted and available after login even if the user has very limited privileges
Screen resolution settings are saved between users, so kinds can run at the resolution of children's games.

How it Works (if it works!)

When you startup windows will require a login. I use the Microsoft Family Login, so you get to select from a list of users. Passwords are required for the administrative user.
Windows will then attempt to match (string comparison) the user name to a user defined in policies. (Yes, it's that simple.)
If Windows finds a match you get the privileges/restrictions and settings of that policies. If there's no match you get the Default User profile settings.

Why Bother?

Have a child machine that doesn't get trashed on a daily basis.

How To

The Standard Approach is what most people seem to use, but you can also test the Basic Approach if you dare.

Standard Approach

The key thing is that System Policy Editor does not normally work on a standalone or workgroup machine. It needs a domain server. You need to carefully study Microsoft's directions to enable on a standalone machine. Read the documents in the Links section for the references. (Basically, you need to use the registry option of SPE to change "update" from network to manual, and enter the path to your .pol file. Read the links section though for some critical warnings!)

Backup up system, check your boot disk works, backup registry files, etc. Pray.
On your Windows 98 CD, locate the Windows 98 resource kit. Run the setup program, setup will copy parts of the Resource Kit to your drive and will install documentation. Open the "tools management console" and look into the Online Documentation folder for the "Resource Kit Tools Help". Read the documentation on policy editor carefully. Note the additional obscure installation steps required to install policy editor.
Read the documents in the Links section; I'm not repeating what they say. Read my warnings! Po
I recommend enabling "Microsoft Family Logon", Windows 98 acts a wee bit like Win XP home and you get to pick users. No need to worry about "new users" being created on the fly when someone mistypes a username during logon.
I think you should create at least two users using the Users control panel tool. One is the administrative user, the other the child user. Enable a password on the administrative user. Don't use the "save space" option. Users will have a folder in c:\windows\profiles. Some user setup tips follow. See directions in Links, these are just comments:
- Clean all the junk out of the user directories in C:\WINDOWS such as COOKIES, FAVORITES, APPLICATION DATA, START MENU, RECENT etc. When you create new users this will reduce your cleanup.
- I setup one user called admin and one called default. I might have been able to get away with just setting up a user called admin. You do this with the User control panel. (See Links).
- Optionally, without creating a user, create a folder in the C:\WINDOWS\PROFILES that contains the Favorites, START MENU etc that you want users to share.
- Once I had the users setup I moved around Favorites and program icons to the users folders as needed.
- You should point windows update to an empty directory, otherwise this links is available.
Create policies using the System Policy Editor (POLEDIT). Follow the directions in Links to enable POLEDIT to run on a standalone machine and then setup your policies. The user names in the policy editor must match the usernames defined above. NOTE:
- Microsoft's directions for running standalone don't tell you that you need to uncheck the computer policy "Require validation by network ...". If you leave this checked you're hosed; when you restart your machine will attempt to log into a domain and you'll be unable to continue. (Boot from floppy, replace, registry, etc.)
- I had trouble when I used a long path name to my policy file, I'd keep the path short and on the C: drive.
- I started out using the pol template that is installed with policy editor and then modified it.
- In Windows 98 the default policy editor seems to be missing some important controls. That's because you need to add a lot of administrative "templates" to get more control. I added several .ADM files, which in my machine were located in c:\windows\inf: common.adm, Shellm.adm, Windows.adm, Inetresm.adm, Inetsetm.adm
- I think for most purposes you can create only one user in policy (not to be confused with the user you created above, but the names must match). Create the admin user first (my example, since I created a profile called admin) with maximal privilges, read directions in Links. Restart and make sure admin works. (I think if you create admin after you revise the default user settings admin starts out with the default user settings.)
- Set the default user policy settings. Read directions in Links. In my case I do not want the machine shut down by anyone but me, so the default user can't shut down. Don't turn off running programs or you may get startup errors, for example hpfsched errors occur because WIN.INI is trying to run an application used by my HP DeskJet printer.
- I had to set the wallpaper in the policies, it didn't remember my admin settings.
- I think there's some sort of inheritance of settings, so if buttons are gray they inherit the settings from Default User.

Basic Approach

I've never tested this, but I think it would work. If you don't want to bother with setting up multiple users, and you are protecting a system no-one else uses from a naive user (typical child < 10 yo), you could try this experiment (if your system blows up when you do this let me know and I'll note your experience here).

Note that this takes advantage of the behavior that the default user policy applies if the user name does not match any profile.

follow the directions for standalone use of policy editor (see Standard Approach)
copy the policy file (.pol) that comes with policy editor. Call one (for example) admin.pol, another (for example), standard.pol.
Edit the default user (don't create any other user) in each so that admin.pol has all privileges and standard.pol is restricted.
The last one you use in policy editor applies, so restart with standard.pol. If you need to do work on the system use policy editor to make admin.pol active. You could rename poledit.exe for slightly more security, but for this use that's probably unnecessary.

Windows 2000

I thought the policies configuration for Windows 98 was tricky, but it's many times worse for Windows 2000. Make a mistake here and your data is toast. For example: you can set things up so NO-ONE has privileges to read/write a file. You may just be hosed at that point.

The techniques here are a mixture of access control (security) using NTFS and Windows 2000 local policies (local version of Active Directory). Nothing about this is well documented anywhere -- try, for example, to learn what rights the "special groups" have. For that matter, what does "everyone" really mean? The inheritance and ownership behaviors of NTFS access settings are a wonder to behold; a transcendental mess.

Check out the Windows 2000 links (below).

Things to Know

Microsoft really intends that everything is on one drive (C:) and that all of your personal files are in your Documents and Settings folder^[2]. Oddly enough OS/2 wanted to do the same thing many years ago. I think it's a bad idea, but as you struggle along you find out more and more that that's the way Microsoft wants life to be.
You'd better have done a fully clean install and disk format with NTFS to have any hope of things working as designed. No NT upgrades please!
You need to organize all your directories with an eye to access privileges. Forget how you've organized directories in the past. Things work best if shared applications go in one folder and unshared applications in another. Of course once you do this you can't change anything, since moving Windows application files breaks applications! ^[1]
As well as privileges one can used advanced settings to change ownership for folders or files. If you can't change security settings on something, even though you're an administrator, then go and change ownership first. You need to change ownership to the administrator group, close and then re-open properties.
Remember that if one one checks "modify" privileges then things cannot be deleted but directory contents can be browsed.
I think if you remove "Everyone" you may want to add SYSTEM as well as administrator to a folder
I have no idea what the NETWORK group means.
Even if a user has access to a directory, if they lack access to the parent directory they cannot browse it and possibly cannot run programs in it. I think that you have to plan your directory tree based on the access privileges you intend to give people. Take advantage of the NTFS inheritance and group folders so as to minimize the need to alter inheritance.
Inheritance is by user/group matching -- if you add a user they inherit based on the parent. If the checkboxes are greyed inheritance is working, if they're not delete the user (beware deleting so many users you can't do anything!); often the user stays but the boxes are greyed correctly. (One is thus deleting overlayed privileges, not the user).

Some Odd NTFS behaviors

Sometimes I have to remove inheritance then restore it to make things work.
Access rules set on parent directories should be inherited. To make that happen check the 'inherit from parent'. Sometimes one must uncheck and then check. Click on groups and members and "remove" them until you get a message saying the group/member cannot be removed (all its checkboxes will be gray).

Possible Techniques and Some Tips

The basic technique careful restriction of access rights. For example, assign children to a new group called child and deny privileges on certain folders for that group (see Recommended NTFS configuration for Windows 2000).
You can also assign local policies to all users. Go to the command line and type mmc. You get a console to which you can add components, such as Group Policy editor. If you add this on a standalone workstation you get some local policy editing. Then either:
1. use the apply policy checkbox in the snap-in control to turn them off as needed.
2. use a trick whereby one exempts administrators from read privilegs on the folder where policies are stored -- so they won't apply to the administrator. Tighten them for eveyone else
Optionally download windows 2000 resource toolkit and use the Win NT poledit program (like Win98). Beware -- this may not work.

Recommended NTFS configuration for Windows 2000

create a new Group called "ChildGroup".
create a new User called "Child" (keep it short to make login easier)
Make "Child" a member of the group Users (Users is a standard low privilege NT group) and the group "ChildGroup".
Give the group "ChildGroup" special access to folders as needed to make installations work.
all children login as user "Child" and get the same settings for their startup folder, desktop, etc. This reduces maintenance work. If children need different settings then create a user identity for each child

Optional advanced settings

I sometimes find I need to extend either User or Power User privileges in select ways for certain directories. I've created a group called "PUExtended" (PowerUser extended) and I give that group privileges for select directories as needed. Then I add persons to that group as needed. So someone can be a member of both the basic Power User group (that I don't mess with) and PUExtended. This way I can effectively create a group that's between Power User and Administrator without messing with the Power User or Administrator settings.

Windows 2000 and Games

Ok, this is unrelated to the page topic, but it's my web site and I need a place to put these notes. If you're trying to secure a Win2K workstation for a child you probably need to install games.

DirectX based games generally work quite readily, though some don't change resolutions well.
EnTech Taiwan freely distibutes MultiRes, a 50K utility that allows one to quickly change resolutions for old games that don't do this themselves. It's akin to the Win 95/98 taskbar tool (see Windows 95 Power Tools, Quick Res). To get the desired 256 color 640x480 option uncheck the XP option.
HOWTO Obtain Microsoft WinG SDK and General Overview of WinG: WinG 1.0 (never went higher) is an ancient Windows 3.1 bitmap management utility -- the DirectX of its day. It's needed by some older children's software; but they may not install it correctly. Best to download and install manually. Microsoft says it works with Windows NT, 95 and 98. It seems to work well with Windows 2000 as well. You have to set permissions so your child can run it (Read and Execute).
QuickTime games seem to have a very rude installation routine. I'm still trying to get those to work.
If a shortcut displays as a blank icon to the Child user, but displays correctly to the Administrator user, it has the wrong NTFS privileges. Check it out and add ChildGroup read privileges.

History

Oct 2003: revised Win98 version, cleared some of the dead links.
Feb 2002: added Windows 2000 notes
July 28, 2001: initial version.

Footnotes

[1]	Ahh, how I miss my 10 year old Macintosh, which used unique file identifiers and indirection. You could move your application directories without any problems. Too bad Windows XP can't do the same thing.
[2]	I think the engineers who set this up expect that the OS will eventually hide the details of partitions from applications, so several partitions will be part of the C: drive. In fact one can map partitions to directories with Windows 2000 and later, but I've been wary of doing it.

Metadata - Keywords

Since Google does not use indexing information stored in meta tags, I've reproduced some of the meta tags here to facilitate indexing.

<meta name="author" content="John G. Faughnan">
<meta name="keywords" content="jfaughnan,jgfaughnan,.en-us,.us,english, windows 95,windows 98,network,user profiles,user policies,security,access control,poledit,policy editor">
<meta name="description" content="Feeling bored? Want to destroy your system? Try using user profiles on policy editor on your standalone Windows 98 machine. Good luck!">
<meta name="distribution" content="global">
<meta name="resource-type" content="document">

Author: John G. Faughnan. The views and opinions expressed in this page are strictly those of the page author. Pages are updated on an irregular schedule; suggestions/fixes are welcome but they may take weeks to years to be incorporated. Anyone may freely link to anything on this site and print any page; no permission is needed for citing, linking, printing, or distributing printed copies.