Creating Separate Users

[radmanhs]

This has probably been covered a million times, but articles are rather confusing on what their tutorials allow.  I'm just trying to set up my pc so I have my regular admin and a separate user account with limited access.  I want him to be able to install programs, but not see any of the stuff I have on my admin account.  When I made the guest account all my programs were immediately available to that account, along with all files.  I was able to go and limit access to some folders, but I feels there's a better way to block stuff.

 

So in the end I want to create a separate account that can't access my folders, programs, or system files.  However have some dedicated space for himself to download and run a few programs.  I will be remote accessing my admin account with something like teamviewer and he will work on his stuff locally.  How do I get this properly configured.

[Electronics Wizardy]

what files did the other user have access to? It shouldn't have access to your home folder.

 

They should have access to their home folder.

 

This should work this way by default.

[vanished]

It's perhaps a bit overkill but you could make a separate partition for your files and encrypt it with bitlocker.  Windows permissions don't exactly have a great rep for being easy to work with or reliable, both within the OS, and because anyone could just boot a linux USB and read all your stuff anyway if they wanted.

[radmanhs]

1 hour ago, Electronics Wizardy said:

what files did the other user have access to? It shouldn't have access to your home folder.

 

They should have access to their home folder.

 

This should work this way by default.

When I log into the sub user, other than the folder I restricted, I was able to browse my C Drive like normal and could see and open everything like I could as an admin 

[vanished]

1 hour ago, radmanhs said:

When I log into the sub user, other than the folder I restricted, I was able to browse my C Drive like normal and could see and open everything like I could as an admin 

But could you change any of it?  I believe that's what needs admin access, so the secondary account shouldn't be able to do that.  Reading system files is harmless so that shouldn't be an issue.

[Electronics Wizardy]

11 hours ago, radmanhs said:

When I log into the sub user, other than the folder I restricted, I was able to browse my C Drive like normal and could see and open everything like I could as an admin 

Thats normal. ALl users have read permissions to folders like windows and programs files.

 

Can they access other users files?

[homeap5]

Add "deny" for listing selected folders for specific user and allow separate folder only for him. You can also add deny for execute selected programs for user. You have lot of options.

[Kilrah]

The only place you're "supposed" to have personal documents is c:\Users\yourname, and other accounts have no permissions at all on it, they can't open the folder.

 

They have read permissions on the rest of the system, but not write. That's fine since no personal data is supposed to be there.

[homeap5]

8 hours ago, Kilrah said:

The only place you're "supposed" to have personal documents is c:\Users\yourname, and other accounts have no permissions at all on it, they can't open the folder.

 

They have read permissions on the rest of the system, but not write. That's fine since no personal data is supposed to be there.

Really? But OP asks for block read permissions, so your answer has no sense. And what about second drive?

 

Permissions are set auto for user directory, but you can set them for any folder if you want. So settings proper permissions is the right method to solve OP problem.

[Kilrah]

I am explaining that what he sees is normal and describing the default behavior. 

Yes you can then go adjust things further, but it also doesn't make sense to start going to change perms on system folders. So gotta make clear that it's only where he actually put personal files that it makes sense changing them.

[homeap5]

2 hours ago, Kilrah said:

I am explaining that what he sees is normal and describing the default behavior. 

Yes you can then go adjust things further, but it also doesn't make sense to start going to change perms on system folders. So gotta make clear that it's only where he actually put personal files that it makes sense changing them.

I am not talking of changing permissions, I'm talking about adding permissions, additional ones that prevents folders from listing or files being executed by specific user. You don't need to have administrator account to access Program Files directory and run any program you want. And that is what OP wants to prevent if I good understand. Places where users can save their personal files are known. Is no need to explain that.

[Kilrah]

OP figured that out in the first post - they were asking if there was another simpler solution.

AFAIK there isn't, because the way basically every multi-user system works is that while application data is stored per user the applications themselves are common to all users and available to all so it's not something common to want to do. 

There are some convoluted ways to restrict some but it's pretty painful: https://www.howtogeek.com/howto/8739/restrict-users-to-run-only-specified-programs-in-windows-7/

 

Maybe there are third party tools to manage that more easily.

[homeap5]

I can do it in 5 minutes using only system. All you need is add permissions to whole directory and everything inside that prevents to execute programs. Windows and ntfs is really good in that.