Hello all. I've got a rather difficult issue that I'm helping a colleague deal with. He's a recovering porn addict and we're trying to use a program called X3 Watch (http://www.download.com/X3watch/3000-2381_4-10642308.html?tag=lst-0-2) to help him stay accountable to what he views on-line. Our problem is it's too easy for him to turn the software off using Windows Task Manager. I know, I know - if he wanted to get over his addiction he wouldn't turn Task Manager off - but that's the nature of addiction - he can't control it.

I've spoken with him and his wife and he's agreed to allow her to have the administrative privileges on his computers. So we would set him up as a user account and the administrative account would be under her control. Now...I see two possible issues. One, how do we stop Task Manager from coming up with Ctrl-Alt-Del on his user account? Basically to contain his access to shutting the program down. Two, how do we control his ability to edit what programs startup with the System Configuration Utility? And I suppose three - is there any other way he could shut down a program that runs in resident at system startup and how do we stop him from doing so?

I'm no IT guru - but I can certainly follow directions. I know here at MSU we can limit users of university computers in this way, but how do I go about doing this? I'd ask one of the IT guys here, but I don't need others around here to know of my colleague's addiction.

TIA.

Using XP Home I'm not sure you can "fine tune" this much, however if you have XP Pro on the machine you can probably control all of these settings using the Local Machine Policy Editor (Start > Run > secpol.msc).

You will need to be an Admin to run it, but it allows you to basically configure every setting on the computer with respect to what users can do what.

I believe he does have WinXP Home on his laptop (I know he has Pro on his desktop system at work and at home).

Anything I can do with XP Home?

X3Watch is a free program that send messages to an email account. Since a server based system is not being used they will need to buy a program like Lock My Computer. http://www.softpedia.com/get/Security/Lockdown/Lock-MyComputer.shtml

The Admin should be able to set everything up so that the husband has limited access to certain programs. Then I would suggest a porn blocker like Net Nanny. http://www.netnanny.com/features/porn-blocker/detail/technical With the windows locker he would not be able to turn off netnanny. I guess it just depends on how serious he is.

I did find a program that will allow XP Home to have the same permissions set as XP Pro - it's from www.xphometools.com/ and is called Permissions Manager. I'm wondering if this will work - ie...not allow him to terminate a running program.

And we've thought about programs like NetNanny but this is all about accountability, not blocking sites. Granted, an addiction sometimes requires taking something away completely, but we'd rather do this is stages.

I would never recommend a 3rd party s/w that imposes such user limits, that is if you can sit through some registry editing yourself. The truth is that pretty much every security policy on XP Pro is settable on XP Home through a simple registry edit (more often than not the policy editors are quick, and useful, front ends to registry edits).
You can do stuff like:
Prevent access to task manager:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
and create a DWORD: DisableTaskMgr = 1

Keep in mind that dropping a user down to a limited user will also remove the ability of the user to play around with msconfig and the registry editor. Also, a reminder to, of course, password protect the Administrator account.

Other stuff I thought might be helpful...

To remove drag & drop from the Start Menu (moving programs away from the Startup folder)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
and create a DWORD: NoChangeStartMenu = 1

There are other things you can do that are in the gpeditor for XP Pro but can be done on Home:
To remove Add/Remove Programs programs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall
and create a DWORD: NoAddRemovePrograms = 1

Prevent access to the command prompt
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
and create a DWORD DisableCMD = 1
(1 disables script processing and 2 enables script processing)

To remove access to the registry tools
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
and create a DWORD: DisableRegistryTools = 1

There are a ton of options you can use to play around with, a lot of registry values can be tweaked for the browser and network settings especially if the person is using IE (recommended in this case, since it's so tightly wound up with the OS .. Firefox doesn't quite play by XP's rules). If you need more registry values post back.

I can't stress enough about my lack of faith in most 3rd party registry locking & related tools to do the things that the OS does natively. I'd sooner shell out $ for XP Pro than I would for such tools.

Addendum: all of these are keys in the current_user realm. A quick way to do it is to change the user's account to Admin rights and log into it. Then use regedit to enter these values. Reboot & login to the wife's admin account and then drop down the other account to limited user. Login to the locked down user account and check effectiveness.

You might want to check out this free utility. (http://www.dougknox.com/xp/utils/xp_securityconsole.htm) It does the changes that Statica listed with a simple checkbox. It has a small footprint and is easy to use. The licensed version ($10 for home license) allows you to load another user's profile without logging into that account among other features not available in the free version.

e.n. :)

Statica, el_novato - thanks a ton!

Here, here. Thanks Statica. Those went saved in a file with my other diagnostic stuff.



Sonic---

That computer you and a few moderators guided me on for Pro Tools (back at the first of the year) is a real dream. Runs great. I'm glad I listened to you guys.

Thanks again,

-Kev

Here, here. Thanks Statica. Those went saved in a file with my other diagnostic stuff.



Sonic---

That computer you and a few moderators guided me on for Pro Tools (back at the first of the year) is a real dream. Runs great. I'm glad I listened to you guys.

Thanks again,

-Kev
Glad it's working well for you.

In searching "help" for information to limit users ability to get on the internet I found this thread. Let me tell you what we want to do. In our clubhouse we have a computer running XP. It is connected to the internet. We want to have three users. One the "Administrator", one called "guest one", and one called "guest two". The administrator would be the only one who could add programs. Guest one could use all programs already installed on the computer and also get on the internet. Guest two could do all that guest one can do, expect get on the internet.
Both "el novato" and "statica" seens to have a way to do this. SonicVanguard did you try either way and if so which one? Also did it work? Anyone out there with another idea how to do this?
Thanks ahead of time for your help!!!

I realize it's been 10 days since your post old dog 2, but in case you are still checking back:

This guide (http://www.pctools.com/guides/registry/detail/1288/) should give you what you are looking for. It involves editing the registry, so please make sure you back up the registry before modifying it. These tweaks apply only to the account that you do not want accessing the Internet.

HTH

e.n. :)

Thanks will check it out.

I hit the wrong button, sorry.