Windows XP's per-user security settings are usually set manually or handled through Group Policies. Group Policy Objects (GPOs) are most useful in environments where many users are being managed; on a single system, it's less useful since you can make the changes just as easily by hand. In addition, GPOs don't work as well outside of a domain environment, and XP Professional can't apply policies selectively to specific users on its own.
To get around these limitations, programmer Doug Knox wrote a tool called the Windows XP Security Console. With it, an administrator can assign restrictions to specific users without having to deal with GPOs or set up a domain. It can also perform these changes without the administrator having to log in as the user in question, and the admin can create default security settings that the program can re-use and apply to other users in the future.
The program displays security settings for common functions such as Desktop, display options, Control Panel, IE's settings, Outlook Express/Messenger, Start Menu and Taskbar, generic system security tasks (i.e., disabling REGEDIT) and Explorer. The only setting that isn't user-specific is the "Disallow Shutdown without Logon" option (in System Security), which is machine-wide. The program also has a setting for which application images to explicitly allow; if you use this "Disallowed Applications" feature, keep in mind that it can only block application images that match a specific file and pathname; it can't block a copy of the image made with a different name.
The program is not free, but at $10 for a single home installation and $50 for a corporate install, the cost is low enough that even a small company can justify its purchase.
Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!
More information from SearchWinSystems.com