Hello
I have win xp pro on stand-alone computer (PIII 733) with one
administrator and few limited accounts.If I want to prevent access to
some folder using administrator account I have to make this folder
private and then create account password that appear on welcome
screen.
1) If I made this folder private why should I encrypt it.If someone
can crack my password and log on as me, he can also read encrypted
folders.
2) Does windows has possibility to prevent access to folder  without
password on welcome screen.
3) If I forget administrator password and if I don't have password
reset disk created by windows, is there any way to log on on this
account.
4) Can user of limited account prevent access to his folders to
administrator.Can administrator  always remove other users passwords.
5) Is it possible to have some kind of limited account but with
possibility to install software.
6) If there are two administrator accounts can they prevent access to
folders from each other.
7) Is it better to use some other security software like DriveCrypt.
Can you recommend me some freeware or shareware software for 1GB as
well as 1MB folder size.
8) Can encryption damage data.
9) Is there any independent review of these software.
Regards
nikenn
ps would be great to have some links that confirm explanations

If you are using NTFS, then in safe mode you can set all sorts of
advanced folder and user settings. I'd go into more detail, but its
12:20 and I should go to bed.

1) Yes. Your accounts encryption key is linked to your accounts SID,
so logging on with an account allows you to read all data encrypted
with that accounts key.
Also, if the machine doesn't have key recovery turned off,
Administrator can also forcibly decrypt other users data.

2) Yes, but it's a bit tricky to rig up. You'll need to set the folder
permissions using the Administrator account, then set the default
login to a user with lower permissions.

3) In other words, 'Can I bypass the security?'. Yes, but it's not
easy. My standard method is to use a linux boot disk with NTFS read
support, use it to copy the c:\windows\repair\sam file off and run it
under a password cracking tool like john the ripper. Takes a while,
but it works.

See: http://www.ciac.org/ciac/bulletins/h-45.shtml . No, this has
still not been fixed.

4) No, not without third party encryption software. By definition,
Administrator is God and his desires override those of other users.
This same feature means that Administrator can always change other
users passwords.

5) Yes, assign those users to the "Power Users" group.

6) No, both accounts with administrator privs have the run of the
machine. Domain Admins on Active Directory networks can lock local
admins out of folders, but I suspect this is overkill for your
requirements.

7) This is very much a question of what you're looking to do.
Certainly, if you're looking to lock the Administrator account out of
a folder, third party software is the way to go. If you're just
looking to discourage casual snoopers, I think the encryption
facilities in 2000/XP are good enough. Still, it won't you to look at
PGP / GnuPG.

See : http://www.pgpi.org

8) No, as the whole point of encryption is to allow only you to read
back your data. If your data was damaged by the encryption software,
it would defeat the objective. I have heard that steganography (
hiding data inside other data ) can cause damage though.

9) I like to see what the cypherpunks on usenet's alt.sci.crypt have
to say about software. I believe one of DriveCrypt's developers hangs
out there.

Thank you evilscum.It seems to be too much for one researcher.
nikenn