Faughnan Home | Contact Info | Site Contents | Search

Securing (sort of) a Windows 98 Standalone Workstation with User Profiles and System Policies

  • Introduction
  • Limitations and Problems
  • How it Works (if it works!)
  • Why Bother?
  • How To
  • Windows 2000
  • Links
  • History
  • Footnotes
  • Rev: 01 Nov 2004.


    Since I first wrote this in early 2001 I've added machines running OS X, Windows 2000, and Windows XP Pro, very recently I've built another Windows 98 machine strictly for children's educational software and games (it has no net connection, so it's relatively secure). Of all these machine OS X and Windows 98 have the most advanced childproofing capabilities, but the implementation in Windows 98 (and Windows 95 before it) is very treacherous. This page describes the Windows 98 implementation; there's a small section describing Windows 2000 childproofing, but Win2K and WinXP Pro really need a network server to be made childproof.

    In the mid-90s Microsoft tried to use a combination of User Profiles and System Policies to make Windows 95 look a bit like a multi-user environment and to provide some fragment of machine-level security. It didn't work very well even then, and it the combination of IE and Active Desktop really broke Windows 98's security model. Even advanced Windows texts rarely discuss these capabilities and web searches find few support pages. Documentation is hidden in the Windows 98 Resource Kit on the Windows 98 CD-ROM. Nowadays it's used mostly in schools and in computer retail stores.

    There are a lot of problems with Microsoft's Profiles/Policies hack. Window's applications were not written to run in a multi-user environment. Microsoft broke the profiles/policies hack when they introduced IE 4/5 and active desktop. The hack causes the system to constantly change registry settings, with a likely increased risk of fatal registry corruption (regicide). There is a very high risk that in trying this you will make your machine inoperable and, at best, you will have to restore the registry by hand. Above all, the standard poledit implementation is for a NETWORKED machine, not a standalone machine.

    If your foolish enough to try this, this page may help you a bit -- or it may induce disaster. Don't complain to me when your machine is a hopeless wreck and you lose every single document you ever had resulting in loss of job, home, family, etc. If you have suggestions, additions, corrections please email them, I'm unlikely however to be able to answer requests for help.

    Don't try this unless you know a LOT about Windows AND DOS, have a full system backup, and know how to restore the registry from a DOS prompt. You should be sure to have a working boot disk.

    Limitations and Problems


    Things that should be user-specific but are shared

    Networking and a few things that work

    How it Works (if it works!)

    1. When you startup windows will require a login. I use the Microsoft Family Login, so you get to select from a list of users. Passwords are required for the administrative user.
    2. Windows will then attempt to match (string comparison) the user name to a user defined in policies. (Yes, it's that simple.)
    3. If Windows finds a match you get the privileges/restrictions and settings of that policies. If there's no match you get the Default User profile settings.

    Why Bother?

    Have a child machine that doesn't get trashed on a daily basis.

    How To

    The Standard Approach is what most people seem to use, but you can also test the Basic Approach if you dare.

    Standard Approach

    The key thing is that System Policy Editor does not normally work on a standalone or workgroup machine. It needs a domain server. You need to carefully study Microsoft's directions to enable on a standalone machine. Read the documents in the Links section for the references. (Basically, you need to use the registry option of SPE to change "update" from network to manual, and enter the path to your .pol file. Read the links section though for some critical warnings!)

    1. Backup up system, check your boot disk works, backup registry files, etc. Pray.

    2. On your Windows 98 CD, locate the Windows 98 resource kit. Run the setup program, setup will copy parts of the Resource Kit to your drive and will install documentation. Open the "tools management console" and look into the Online Documentation folder for the "Resource Kit Tools Help". Read the documentation on policy editor carefully. Note the additional obscure installation steps required to install policy editor.

    3. Read the documents in the Links section; I'm not repeating what they say. Read my warnings! Po

    4. I recommend enabling "Microsoft Family Logon", Windows 98 acts a wee bit like Win XP home and you get to pick users. No need to worry about "new users" being created on the fly when someone mistypes a username during logon.

    5. I think you should create at least two users using the Users control panel tool. One is the administrative user, the other the child user. Enable a password on the administrative user. Don't use the "save space" option. Users will have a folder in c:\windows\profiles. Some user setup tips follow. See directions in Links, these are just comments:

    6. Create policies using the System Policy Editor (POLEDIT). Follow the directions in Links to enable POLEDIT to run on a standalone machine and then setup your policies. The user names in the policy editor must match the usernames defined above. NOTE:

    Basic Approach

    I've never tested this, but I think it would work. If you don't want to bother with setting up multiple users, and you are protecting a system no-one else uses from a naive user (typical child < 10 yo), you could try this experiment (if your system blows up when you do this let me know and I'll note your experience here).

    Note that this takes advantage of the behavior that the default user policy applies if the user name does not match any profile.

    1. follow the directions for standalone use of policy editor (see Standard Approach)
    2. copy the policy file (.pol) that comes with policy editor. Call one (for example) admin.pol, another (for example), standard.pol.
    3. Edit the default user (don't create any other user) in each so that admin.pol has all privileges and standard.pol is restricted.
    4. The last one you use in policy editor applies, so restart with standard.pol. If you need to do work on the system use policy editor to make admin.pol active. You could rename poledit.exe for slightly more security, but for this use that's probably unnecessary.

    Windows 2000

    I thought the policies configuration for Windows 98 was tricky, but it's many times worse for Windows 2000. Make a mistake here and your data is toast. For example: you can set things up so NO-ONE has privileges to read/write a file. You may just be hosed at that point.

    The techniques here are a mixture of access control (security) using NTFS and Windows 2000 local policies (local version of Active Directory). Nothing about this is well documented anywhere -- try, for example, to learn what rights the "special groups" have. For that matter, what does "everyone" really mean? The inheritance and ownership behaviors of NTFS access settings are a wonder to behold; a transcendental mess.

    Check out the Windows 2000 links (below).

    Things to Know

    Some Odd NTFS behaviors

    Possible Techniques and Some Tips

    Recommended NTFS configuration for Windows 2000

    1. create a new Group called "ChildGroup".
    2. create a new User called "Child" (keep it short to make login easier)
    3. Make "Child" a member of the group Users (Users is a standard low privilege NT group) and the group "ChildGroup".
    4. Give the group "ChildGroup" special access to folders as needed to make installations work.
    5. all children login as user "Child" and get the same settings for their startup folder, desktop, etc. This reduces maintenance work. If children need different settings then create a user identity for each child

    Optional advanced settings

    I sometimes find I need to extend either User or Power User privileges in select ways for certain directories. I've created a group called "PUExtended" (PowerUser extended) and I give that group privileges for select directories as needed. Then I add persons to that group as needed. So someone can be a member of both the basic Power User group (that I don't mess with) and PUExtended. This way I can effectively create a group that's between Power User and Administrator without messing with the Power User or Administrator settings.

    Windows 2000 and Games

    Ok, this is unrelated to the page topic, but it's my web site and I need a place to put these notes. If you're trying to secure a Win2K workstation for a child you probably need to install games.


    Believe it or not, this is actually a fairly comprehensive collection of all materials on this topic.

    Windows 98

    Windows 2000



    [1] Ahh, how I miss my 10 year old Macintosh, which used unique file identifiers and indirection. You could move your application directories without any problems. Too bad Windows XP can't do the same thing.
    [2] I think the engineers who set this up expect that the OS will eventually hide the details of partitions from applications, so several partitions will be part of the C: drive. In fact one can map partitions to directories with Windows 2000 and later, but I've been wary of doing it.

    Metadata - Keywords

    Since Google does not use indexing information stored in meta tags, I've reproduced some of the meta tags here to facilitate indexing.

    <meta name="author" content="John G. Faughnan">
    <meta name="keywords" content="jfaughnan,jgfaughnan,.en-us,.us,english, windows 95,windows 98,network,user profiles,user policies,security,access control,poledit,policy editor">
    <meta name="description" content="Feeling bored? Want to destroy your system? Try using user profiles on policy editor on your standalone Windows 98 machine. Good luck!">
    <meta name="distribution" content="global">
    <meta name="resource-type" content="document">

    Author: John G. Faughnan.  The views and opinions expressed in this page are strictly those of the page author. Pages are updated on an irregular schedule; suggestions/fixes are welcome but they may take weeks to years to be incorporated. Anyone may freely link to anything on this site and print any page; no permission is needed for citing, linking,  printing, or distributing printed copies.