radioguy-ga:
I feel your pain... invariably, at least once every couple of months,
I find myself going through the ritual of reinstalling Windows 2000
from scratch on someone's machine, due to downloaded software gone
awry.
I'd like to say that there are simple answers to your questions, but
due to the complexity of Windows 2000, "simple" is a difficult
request! I will do my best, though, and am more than happy to provide
clarifications as required. Also, this Answer is a long one, so please
consider cutting and pasting it into a text document and printing it
out for easy reference.
First, there are some general points that I should cover. As you
already know, Windows 2000 carries on the security and user
administration capabilities of Windows NT. This means that for every
resource on the computer (folders, programs, devices), it is possible
to specify which users have the right to access it, and what they are
allowed to do with it.
For files and folders, restricting access requires that the hard drive
be formatted with the NTFS file system. This NT File System includes
security parameters for every file and folder. In constrast, the FAT32
file system used by Windows 98 does not allow for security parameters.
Therefore, it is not normally possible for the FAT32 file system to
restrict access based on user rights. Many people regard NTFS as the
superior file system due to its inherent security controls, while
others find it a nuisance since it requires a lot more work to make it
work right (as you are finding out!).
By default, for safety's sake, several resources are automatically
restricted to users who are given the status of Local Administrator
(including the "administrator" account). An important example of this
is the right to make changes in the system directory where Windows
2000 stores its own files; in other words, the C:\WINNT folder (in
this example, your "system" drive is C:, and the "system" folder is
"WINNT"... your actual situation is probably the same). What this
means is that only a Local Administrator has the right to add, modify,
or delete files in C:\WINNT and its sub-directories.
Unfortunately, although Microsoft has been trying for the past four
years to educate the developer community on what constitutes a truly
Windows 2000 compliant program, not all developers listen. One common
error they make, is attempting to store files such as INI files
(program settings) and DLL file (dynamic link libraries... basically,
files that contain all of the actual functions that the software needs
to interact with other components in your computer). Normally, if a
user who does not have admin rights attempts to install such a
program, the installation program will encounter an error, and exit
without installing the program.
However, even if the program is successful installed by a Local
Administrator, it does not guarantee that all users will be able to
use it. If the program has stored an INI file in C:\WINNT or it's
subdirectories, by default a non-admin user will not be able to modify
the INI file. This will cause the program to crash with an error.
Again, note that this is true only if the file system is NTFS.
The same problem applies to the C:\PROGRAM FILES folder and its
subdirectories. By default, when a program is installed by a Local
Administrator in the PROGRAM FILES folder, the created folder and its
subfolders inherit the permissions of the C:\PROGRAM FILES folder
itself. Again, for safety's sake, these permissions deny
non-administrative users from modifying the contents of the PROGRAM
FILES folders.
I hope that you have been able to follow along with my explanation so
far. The problems you are facing are due to the default security
permission settings. So, to fix your current problems, please do the
following.
We will start with Winamp3. Winamp is generally a well-behaved,
Windows 2000 compliant program. Except for one little problem... it
stores its settings within its program folder. So, what you will need
to do is open a Windows NT Explorer window while logged in as a Local
Administrator, locate the folder where Winamp3 is installed (most
likely C:\Program Files\Winamp3), and right-click on the folder name
and select its Properties. On the Properties dialog, you should see a
Security tab (this is only present if your file system is NTFS... and
if it isn't, then you shouldn't be encountering all of these
problems). On the Security Tab, you should see a list of different
user groups. Select the "Users" group, and you will see the
permissions for that group. Most likely, the default permissions are
"Read/Execute", "List Folder Contents", and "Read". They may also be
greyed out. Please check the "Modify" checkbox (under Allow), to allow
Users to modify files in this folder. Confirm that the "Allow
inheritable permissions..." checkbox is checked, this will
automatically update all of the files in the folder to include the new
permissions. At this point, Winamp3 should work for non-admin users
(unless something else is different about your Winamp3 installation).
Repeat the same process for the other programs in your list. Note that
the reason Winzip 8.1 will not extract to folders created by the
administrator, is most likely because those folders do not have write
access for non-admin users.
After you have opened up access to the Program Files folders for these
programs, there is one more thing you will need to do. Unfortunately,
it is quite arduous. You will need to check for files being stored in
the WINNT folder (or its subdirectories) that are used by these
programs every time they run.
The easiest way to do this, is to follow the following procedure, for
each program:
1. As the Local Administrator, run the program, and use it for
whatever it is intended (ie. for Winamp3, play some music... for Easy
CD Creator 5, prepare files for burning to a CD, you should not need
to burn one though).
2. Close the program, then quickly look at and record the current
system time.
3. Open a Windows NT Explorer window, and navigate to C:\WINNT.
4. Using the Search function, search for any file in the C:\WINNT
folder with a Last Modified date of today (ie. the actual date you are
doing this procedure on).
4. As the search returns results, look at the Last Modified time to
identify files that were last modified while you were using the
program.
5. Right-click on each file, select Properties, select the Security
tab, select the Users group, and add "Modify" to the permissions.
As I said, this is an arduous task. Please note that this is actually
why corporations pay big bucks for qualified IT technicians to prepare
and torture test a standard base image of Windows and all of the
necessary applications that a user will need to do their job, before
deploying that standard base image across a company. You do not even
want to imagine having to do this tweaking on every single computer in
a company!
At this point, let me summarize what parts of your Question I have
responded to. The preceding paragraphs describe how to fix the
immediate problems you are facing with the programs you listed. I also
infer from your question that you would like to know how to keep your
kids from being able to install programs they download off the
Internet. For the most part, the very same default security settings I
described above, will prevent members of the User group from
installing programs that need to place parts of themselves into the
PROGRAM FILES or WINNT folders. Some programs, however, do not try to
install themselves into these folders. Power Users can install
programs into the folders. For most of your worries, simply placing
your kids into the User group instead of any other group will prevent
them from installing most downloaded programs.
There will always be dangerous programs approaching your computer,
especially if your family uses Kazaa Lite K++. I strongly urge you to
acquire a good anti-virus program with automatic virus signature
updates, to try to prevent these programs from running and infecting
your computer. A good (and free) one is from Grisoft, and is called
AVG Anti-Virus. You can read more about it at
http://www.grisoft.com/us/us_dwnl_free.php and you can also download
it from there.
I also strongly urge you to install and use a firewall program. My
recommendation is ZoneAlarm, which you can download (free for personal
use) at http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp
.
Finally, please scan your computer for dangerous spyware using
Ad-Aware, by Lavasoft. Visit http://www.lavasoft.de/software/adaware/
for more information. Spyware is often the cause of problems on your
computer, primarily because neither you nor your other software expect
the spyware to be there in the first place.
I hope that all of this is of value to you. I repeat my offer to
provide clarification if any of this is unclear.
Thanks, and best of luck!
Regards,
aht-ga |