Faughnan Home | Contact
Info | Site Contents | Search
Rev: 01 Nov 2004.
Since I first wrote this in early 2001 I've added machines running OS X, Windows 2000,
and Windows XP Pro, very recently I've built another Windows 98 machine strictly for
children's educational software and games (it has no net connection, so it's relatively
secure). Of all these machine OS X and Windows 98 have the most advanced childproofing
capabilities, but the implementation in Windows 98 (and Windows 95 before it) is very treacherous.
This page describes the Windows 98 implementation; there's a small section describing Windows 2000 childproofing, but Win2K and WinXP Pro really need
a network server to be made childproof.
In the mid-90s Microsoft tried to use a combination of User Profiles and System
Policies to make Windows 95 look a bit like a multi-user environment and to provide some
fragment of machine-level security. It didn't work very well even then, and it the
combination of IE and Active Desktop really broke Windows 98's security model. Even
advanced Windows texts rarely discuss these capabilities and web searches find few support
pages. Documentation is hidden in the Windows 98 Resource Kit on the Windows 98 CD-ROM.
Nowadays it's used mostly in schools and in computer retail stores.
There are a lot of problems with Microsoft's
Profiles/Policies hack. Window's applications were not written to run in a multi-user
environment. Microsoft broke the profiles/policies hack when they introduced IE 4/5 and
active desktop. The hack causes the system to constantly change registry settings, with a
likely increased risk of fatal registry corruption (regicide). There is a very high risk
that in trying this you will make your machine inoperable and, at best, you will have to
restore the registry by hand. Above all, the standard poledit implementation is for a
NETWORKED machine, not a standalone machine.
If your foolish enough to try this, this page may help you a bit -- or it may induce
disaster. Don't complain to me when your machine is a hopeless wreck and you lose
every single document you ever had resulting in loss of job, home, family, etc. If you
have suggestions, additions, corrections please email them, I'm unlikely however to be
able to answer requests for help.
Don't try this unless you know a LOT about Windows AND DOS, have a full system
backup, and know how to restore the registry from a DOS prompt. You should be sure to have
a working boot disk.
- If the floppy drive is available you can boot off it and bypass the profile settings.
You might choose to edit the profiles, for example.
- I think if you hold down the F8 key on startup you might get an option for DOS
prompt. (I'm not sure, my system is Dual-Boot and I just get the Win 2000 menu.) Note
however there may be a policy editor setting to block DOS booting.
- You can't block the creation of new users during logon (user enters a new name) unless
you have a server and validate users through the server. You also can't stop Ctrl-Alt-Del
- This functionality is not fully compatible with active desktop (active desktop, btw,
also breaks the unrelated screen saver hot spots). If you import the correct admin
templates there are settings for turning off the active desktop, but they don't remove the
menu option. If you isntall the advanced templates there's an option to remove
"folder options" setting from the Start menu, but it doesn't work on my system.
- Microsoft doesn't really support it; this is an old and creaky approach to security.
- Applications don't expect to run in this type of environment. In fact all applications
are installed for all users, the only limited control is the ability to reach and run the
applications. Very few applications actually handle user-specific settings properly.
- The underlying OS is a single-user security-free operating system (DOS).
- If you allow access to IE and want some semblance of security, you probably need the
IEAK (Good luck!) but you can do a fair bit with policy editor if you import the IE admin
- When using profile editor some changes take effect as soon as you log out, others
require rebooting. In general reboot to be sure your changes work as expected.
Things that should be user-specific but are shared
- All the settings for the "machine" (does this correspond to edits in the
system.dat registry file?) are shared by all users. They seem to apply BEFORE the login
- The system tray always loads and everyone gets the same tray except for items belonging
to the StartUp folder. You can't limit access to it to the system tray.
- The screen saver settings are very confusing, perhaps because active desktop controls
the screen saver on my machine and it's not fully compatible with policy editor. I can't
get a password protected screen saver setting to work fully for my default users. It's a
mess, and I suspect this is one of those area where active desktop has messed up policies.
- I think the SendTo options stay the same for everyone, but I think you might be able to
disable the context menu.
- Even though users have Start Up folders and Program folders they don't get used. This
may be a side-effect of specifying hard coded paths for the default user profile. If you
change wallpaper in a session your change is lost on logoff.
Networking and a few things that work
- if you've set up file and printers shares, these will be mounted and available after
login even if the user has very limited privileges
- Screen resolution settings are saved between users, so kinds can run at the resolution
of children's games.
- When you startup windows will require a login. I use the Microsoft Family Login, so you
get to select from a list of users. Passwords are required for the administrative user.
- Windows will then attempt to match (string comparison) the user name to a user defined
in policies. (Yes, it's that simple.)
- If Windows finds a match you get the privileges/restrictions and settings of that
policies. If there's no match you get the Default User profile settings.
Have a child machine that doesn't get trashed on a daily basis.
The Standard Approach is what most people seem
to use, but you can also test the Basic Approach
if you dare.
The key thing is that System Policy Editor does not normally work on a standalone or
workgroup machine. It needs a domain server. You need to carefully study Microsoft's
directions to enable on a standalone machine. Read the documents in the Links section for the references. (Basically, you need to
use the registry option of SPE to change "update" from network to manual, and
enter the path to your .pol file. Read the links section though for some critical
Backup up system, check your boot disk works, backup registry files,
On your Windows 98 CD, locate the Windows 98 resource kit. Run the setup
program, setup will copy parts of the Resource Kit to your drive and will install
documentation. Open the "tools management console" and look into the Online
Documentation folder for the "Resource Kit Tools Help". Read the documentation
on policy editor carefully. Note the additional obscure installation steps
required to install policy editor.
Read the documents in the Links
section; I'm not repeating what they say. Read my warnings! Po
I recommend enabling "Microsoft Family Logon", Windows 98 acts
a wee bit like Win XP home and you get to pick users. No need to worry about "new
users" being created on the fly when someone mistypes a username during logon.
I think you should create at least two users using the Users control
panel tool. One is the administrative user, the other the child user. Enable a password on
the administrative user. Don't use the "save space" option. Users will have a
folder in c:\windows\profiles. Some user setup
tips follow. See directions in Links, these are just
Create policies using the System Policy Editor (POLEDIT). Follow the
directions in Links to enable POLEDIT to run on a
standalone machine and then setup your policies. The user names in the policy editor must
match the usernames defined above. NOTE:
- Microsoft's directions for running standalone don't tell you that you need to uncheck
the computer policy "Require validation by network ...". If you leave this
checked you're hosed; when you restart your machine will attempt to log into a domain and
you'll be unable to continue. (Boot from floppy, replace, registry, etc.)
- I had trouble when I used a long path name to my policy file, I'd keep the path short
and on the C: drive.
- I started out using the pol template that is installed with policy editor and then
- In Windows 98 the default policy editor seems to be missing some important
controls. That's because you need to add a lot of administrative "templates" to
get more control. I added several .ADM files, which in my machine were located in c:\windows\inf: common.adm, Shellm.adm, Windows.adm,
- I think for most purposes you can create only one user in policy (not to be confused
with the user you created above, but the names must match). Create the admin
user first (my example, since I created a profile called admin) with maximal privilges,
read directions in Links. Restart and make sure admin
works. (I think if you create admin after you revise the default user settings admin
starts out with the default user settings.)
- Set the default user policy settings. Read directions in Links. In my case I do not want the machine shut down by
anyone but me, so the default user can't shut down. Don't turn off running programs
or you may get startup errors, for example hpfsched errors occur because WIN.INI is trying
to run an application used by my HP DeskJet printer.
- I had to set the wallpaper in the policies, it didn't remember my admin settings.
- I think there's some sort of inheritance of settings, so if buttons are gray they
inherit the settings from Default User.
I've never tested this, but I think it would work. If you don't want to bother with
setting up multiple users, and you are protecting a system no-one else uses from a naive
user (typical child < 10 yo), you could try this experiment (if your system blows up
when you do this let me know and I'll note your experience here).
Note that this takes advantage of the behavior that the default user
policy applies if the user name does not match any profile.
- follow the directions for standalone use of policy editor (see Standard Approach)
- copy the policy file (.pol) that comes with policy editor. Call one (for example)
admin.pol, another (for example), standard.pol.
- Edit the default user (don't create any other user) in each so that
admin.pol has all privileges and standard.pol is restricted.
- The last one you use in policy editor applies, so restart with standard.pol. If you need
to do work on the system use policy editor to make admin.pol active. You could rename
poledit.exe for slightly more security, but for this use that's probably unnecessary.
I thought the policies configuration for Windows 98 was tricky, but it's many times
worse for Windows 2000. Make a mistake here and your data is toast. For
example: you can set things up so NO-ONE has privileges to read/write a file. You may just
be hosed at that point.
The techniques here are a mixture of access control (security) using NTFS and Windows
2000 local policies (local version of Active Directory). Nothing about this is well
documented anywhere -- try, for example, to learn what rights the "special
groups" have. For that matter, what does "everyone" really mean? The
inheritance and ownership behaviors of NTFS access settings are a wonder to behold; a
Check out the Windows 2000 links (below).
Things to Know
- Microsoft really intends that everything is on one drive (C:) and that all of your
personal files are in your Documents and Settings folder .
Oddly enough OS/2 wanted to do the same thing many years ago. I think it's a bad idea, but
as you struggle along you find out more and more that that's the way Microsoft wants
life to be.
- You'd better have done a fully clean install and disk format with NTFS to have any hope
of things working as designed. No NT upgrades please!
- You need to organize all your directories with an eye to access privileges. Forget how
you've organized directories in the past. Things work best if shared applications go in
one folder and unshared applications in another. Of course once you do this you can't
change anything, since moving Windows application files breaks applications! 
- As well as privileges one can used advanced settings to change ownership for folders or
files. If you can't change security settings on something, even though you're an
administrator, then go and change ownership first. You need to change ownership to the
administrator group, close and then re-open properties.
- Remember that if one one checks "modify" privileges then things cannot be
deleted but directory contents can be browsed.
- I think if you remove "Everyone" you may want to add SYSTEM as well as
administrator to a folder
- I have no idea what the NETWORK group means.
- Even if a user has access to a directory, if they lack access to the parent directory
they cannot browse it and possibly cannot run programs in it. I think that you have to
plan your directory tree based on the access privileges you intend to give people. Take
advantage of the NTFS inheritance and group folders so as to minimize the need to alter
- Inheritance is by user/group matching -- if you add a user they inherit based on the
parent. If the checkboxes are greyed inheritance is working, if they're not delete the
user (beware deleting so many users you can't do anything!); often the user stays but the
boxes are greyed correctly. (One is thus deleting overlayed privileges, not the user).
Some Odd NTFS behaviors
- Sometimes I have to remove inheritance then restore it to make things work.
- Access rules set on parent directories should be inherited. To make that happen check
the 'inherit from parent'. Sometimes one must uncheck and then check. Click on groups and
members and "remove" them until you get a message saying the group/member cannot
be removed (all its checkboxes will be gray).
Possible Techniques and Some Tips
- The basic technique careful restriction of access rights. For example, assign children
to a new group called child and deny privileges on certain folders for that group (see Recommended NTFS configuration for Windows 2000).
- You can also assign local policies to all users. Go to the command line and type mmc.
You get a console to which you can add components, such as Group Policy editor. If you add
this on a standalone workstation you get some local policy editing. Then either:
- use the apply policy checkbox in the snap-in control to turn them off as needed.
- use a trick whereby one exempts administrators from read privilegs on the folder where
policies are stored -- so they won't apply to the administrator. Tighten them for eveyone
- Optionally download windows 2000 resource toolkit and use the Win NT poledit program
(like Win98). Beware -- this may not work.
- create a new Group called "ChildGroup".
- create a new User called "Child" (keep it short to make login easier)
- Make "Child" a member of the group Users (Users is a standard low privilege NT
group) and the group "ChildGroup".
- Give the group "ChildGroup" special access to folders as needed to make
- all children login as user "Child" and get the same settings for their startup
folder, desktop, etc. This reduces maintenance work. If children need different settings
then create a user identity for each child
Optional advanced settings
I sometimes find I need to extend either User or Power User privileges in select ways
for certain directories. I've created a group called "PUExtended" (PowerUser
extended) and I give that group privileges for select directories as needed. Then I add
persons to that group as needed. So someone can be a member of both the basic Power User
group (that I don't mess with) and PUExtended. This way I can effectively create a group
that's between Power User and Administrator without messing with the Power User or
Windows 2000 and Games
Ok, this is unrelated to the page topic, but it's my web site and I need a place to put
these notes. If you're trying to secure a Win2K workstation for a child you probably need
to install games.
- DirectX based games generally work quite readily, though some don't change resolutions
- EnTech Taiwan freely distibutes MultiRes, a
50K utility that allows one to quickly change resolutions for old games that don't do this
themselves. It's akin to the Win 95/98 taskbar tool (see Windows 95 Power Tools, Quick
Res). To get the desired 256 color 640x480 option uncheck the XP option.
- HOWTO Obtain
Microsoft WinG SDK and General Overview of WinG: WinG 1.0 (never went higher) is an
ancient Windows 3.1 bitmap management utility -- the DirectX of its day. It's needed by
some older children's software; but they may not install it correctly. Best to download
and install manually. Microsoft says it works with Windows NT, 95 and 98. It seems to work
well with Windows 2000 as well. You have to set permissions so your child can run it (Read
- QuickTime games seem to have a very rude installation routine. I'm still trying to get
those to work.
- If a shortcut displays as a blank icon to the Child user, but displays correctly to the
Administrator user, it has the wrong NTFS privileges. Check it out and add ChildGroup read
Believe it or not, this is actually a fairly comprehensive collection of all materials
on this topic.
- Oct 2003: revised Win98 version, cleared some of the dead links.
- Feb 2002: added Windows 2000 notes
- July 28, 2001: initial version.
||Ahh, how I miss my 10 year old Macintosh, which
used unique file identifiers and indirection. You could move your application directories
without any problems. Too bad Windows XP can't do the same thing.
||I think the engineers who set this up expect
that the OS will eventually hide the details of partitions from applications, so several
partitions will be part of the C: drive. In fact one can map partitions to directories
with Windows 2000 and later, but I've been wary of doing it.
Metadata - Keywords
Since Google does not use indexing information stored in meta tags, I've
reproduced some of the meta tags here to facilitate indexing.
<meta name="author" content="John
windows 95,windows 98,network,user profiles,user policies,security,access
content="Feeling bored? Want to destroy your system?
Try using user profiles on policy editor on your standalone Windows 98 machine. Good luck!">
Author: John G. Faughnan. The
views and opinions expressed in this page are strictly those of the page author. Pages are
updated on an irregular schedule; suggestions/fixes are welcome but they may take weeks to
years to be incorporated. Anyone may freely link to anything on this site
and print any page; no permission is needed for citing, linking, printing, or
distributing printed copies.