SEARCH

How-To Geek

The Best Ways to Lock Down Your Multi-User Computer

00_lock_and_chained_computer

Whether you’re sharing a computer with other family members or friends at home, or securing computers in a corporate environment, there may be many reasons why you need to protect the programs, data, and settings on the computers.

This article presents multiple ways of locking down a Windows 7 computer, depending on the type of usage being employed by the users. You may need to use a combination of several of the following methods to protect your programs, data, and settings.

Restrict Which Programs a User Can Run

If you have kids that use your computer, and you have programs on the computer that you don’t want them messing with, you can restrict them to using only certain programs. Say your kid tends to play games on the computer instead of doing his homework. You can set rules in AppLocker in the Group Policy Editor that prevents all games from being run.

NOTE: The Group Policy Editor is not available in the Home versions of Windows 7.

01_applocker

Lock Down the Firefox Web Browser

If you want to restrict the websites your child, or other family members or friends, can visit when surfing the internet on your computer, you can use the Public Fox extension in Firefox to block downloads and websites and prevent changes from being made to the browser. It locks down add-ons, preferences, about:config settings, and bookmarks. You apply a password to the extension so users cannot turn off these restrictions.

NOTE: You can restrict your child or other user to only using Firefox, so you can take advantage of Public Fox’s protections.

02_public_fox_options

Lock Your Windows Account on Demand

If you’re logged in, but need to leave the computer for some time, you can quickly lock your account, so no one can access it. To do this, do one of the following things:

  • Press the Windows logo key and the letter ‘L’ at the same time.
  • Press Ctrl + Alt + Del and then click the Lock this computer option.
  • Create a shortcut to lock the screen.

03_clicking_lock_this_computer_orig

Use the Windows Built-in Screensaver to Lock Your Computer

You can set the screensaver settings so it locks your computer automatically when your away. Once you set the screensaver settings, you can prevent users from changing the screensaver (and also the wallpaper).

You may want to quickly disable the screensaver, if you’re doing something you don’t want interrupted, like watching a long video. To be able to do this, create shortcuts on the desktop to disable and enable the screensaver.

To start specific screensavers immediately, you can create icons for each of the screensavers that comes with Windows.

04_screensaver_icons_orig

Temporarily Lock Your Computer if Someone Tries to Guess Your Password

If you share your computer with other family members or allow your friends to use it, you should have a password on your Windows account so no one else can log into it. However, someone may try to guess your password and log into your account. If this happens, you can temporarily lock your computer.

You should also periodically change your password.

05_password_lockout_screen_orig

Disable Writing to USB Drives

If you are in charge of the computers at your company you may be concerned about the security of the corporate data on the computers. Or, you may just not want your family members and friends to take files from your personal computer. There is a way, in Windows 7, to prevent users from copying files to an external USB drive using a registry hack.

06_prevent_writing_to_usb_orig

Restrict Users from Using Cut, Copy, Paste, and Delete

If you would rather not disable writing to external USB drives, as described above, you can restrict users from using the Cut, Copy, and Paste commands, as well as the Delete command. There is a free, small program available on the Tweaking with Vishal site, called Stopper, that prevents access to these commands.

Stopper is a standalone .exe file. Simply unzip the downloaded file and run the .exe file to disable the Cut, Copy, Paste, and Delete functions. Other users will not be able to copy anything to an external USB drive and steal your data and programs. You can enable these functions again by opening the Task Manager, selecting Stopper.exe on the Processes tab, and clicking End Process.

NOTE: We recommend you change the name of the .exe file before you run it, so savvy users of your computer are confused when they look in the Task Manager. They shouldn’t be able to tell which process is Stopper, if they are knowledgeable enough to get into the Task Manager. We left the name of the .exe file as Stopper.exe in the image below for illustrative purposes.

07_ending_stopper_orig

Lock Minimized Programs

If you let someone briefly use your Windows account on your computer, you may not want them looking at any programs you have open. However, you may not be ready to close the programs. There is a free utility, called LockThis!, that allows you to lock down minimized program windows, so can’t be opened.

08_lock_this_admin_panel_orig

Use User Account Control to Protect Your PC

User Account Control (UAC) is a feature added to Windows as of Vista and continued in Windows 7. It’s designed to prevent unauthorized changes to your computer, thus making your computer much more secure. You can change the settings for UAC to provide different levels of security. You can read all about UAC to decide what level is appropriate for each computer you are trying to protect.

09_uac_dialog_orig

Use Parental Controls in Windows 7

If your children tend to get on the computer and play games when they should be doing their homework, you can use AppLocker to restrict the programs they use. However, if you want to control the amount of time they spend on the computer, you can use the Parental Control in Windows 7, as well as restrict access to programs.

Use the Local Group Policy Editor to Change Policies

If you are using Windows 7 Professional, Ultimate, or Enterprise, you can use the Local Group Policy Editor to change policies that affect the security of your computer. The Local Group Policy Editor is not available in the Home and Starter editions of Windows 7. For example, you can restrict access to drives in My Computer by changing a policies in the Local Group Policy Editor.

To access the Local Group Policy Editor, open the Start menu and enter “gpedit.msc” (without the quotes) in the Search box. Press Enter or click the gpedit.msc file when it displays in the results.

The following policies are some of the policies that can be changed to help secure your PC. For example, you can restrict access to the Control Panel, the registry, and the command prompt, and you can prevent users from changing their passwords and accessing the Task Manager. We have listed the name(s) of the policy item(s) from the right pane and then the path to the policy item(s) in the left pane.

  • Show only specified Control Panel items / Hide specified Control Panel items / Prohibit access to the Control Panel – User Configuration | Administrative Templates | Control Panel.
  • Prevent access to registry editing tools / Prevent access to the command prompt – User Configuration | Administrative Templates | System.
  • Disable the Privacy Page / Disable the Security Page [in Internet Explorer] – User Configuration | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel.
  • Remove Change Password / Lock Computer / Task Manager / Logoff – User Configuration | Administrative Templates | System | Ctrl+Alt+Del Options.

NOTE: Under User Configuration | Administrative Templates | System, you may notice that you can specify certain programs users will be able to run or not run. However, using AppLocker, as we discussed earlier in this article, is a more secure method of restricting access to programs for certain users.

11_prevent_access_to_drives

Protect Your Data in an Encrypted File Vault

You can also protect your data files from prying eyes by storing them in an encrypted file vault. A very good, free program for that purpose is TrueCrypt. It allows you to create a very secure vault in which you can store your files and “lock it up” when you are done.

When securing your Windows account and your data and programs, remember to use good, strong passwords, and store them securely, when you have to record them. We also have additional tips for securing your data and backing up your data, which may not seem like it’s related to locking down your computer, but it’s important, as well. What do you do if another user of your PC does something to render the PC useless? If that happens, you’ll be happy you spent the time and effort to backup your data.

Lori Kaufman is a freelance technical writer who likes to write geeky how-to articles to help make people's lives easier through the use of technology. She loves watching and reading mysteries and is an avid Doctor Who fan.

  • Published 04/14/12

Comments (7)

  1. r

    In my corporate environment I provide users with permissions that I create in Win2008 r2 Active Directory, which makes them part of certain groups. From there they either have or don’t have access to various domain folders or files on mapped drives. On my mobile workstation nobody has access to anything but me. It’s never a shared computer.

  2. Nick

    This is my biggest complaint about Windows 7 Home, the features that a home user needs most (group policy editor, xp mode, remote desktop) are only included in the professional versions and above. I understand why Microsoft thinks that corporate users are the ones who need those features, but Home users need them as much if not more. If the cost of the anytime upgrade was less expensive it would be less of an issue, but the cost per machine seems high.

  3. mike

    i dont understand why you need a separate program to disable copy/move/delete/ and paste. shouldnt that option be built into windows?

  4. Dark Reality

    Most of these hacks can be worked around. Besides, I think locking down the computer and leaving your child unsupervised is the wrong approach. You might as well put them on a Mac toy. But I believe parents should spend more, not less, time with their children. Make a limited account, sure. But don’t specifically limit them. Let them do whatever, within reason, and supervise. You’re not doing their potential any favors by limiting them.

  5. jennifer

    Good to know about the The Best Ways to Lock Down The Multi-User Computer

  6. badger_fruit

    I agree to a point with Dark Reality, but there’s only so much supervision one can give; my 7 yr old boy, no problem, if he wants to use the PC then it’s in front of me or my wife so we can see what he’s up to! As for my 11 (sorry, 12) yr old daughter, supervision of her PC use is uncontroller, I am there if she ‘breaks’ something but other then that, I believe we’ve instructed her well on how to use the PC ‘safely’.

    This is a good article though and it shows there’s a whole heap of tools available to those who don’t trust the other users of their PCs (something to hide maybe?) … I think the users of these apps should be subjected to 24/7 CCTV surveillence on their PC monitors lol ;)

  7. Taco

    Block all search engines and the internet (sarcasm). SRP/Applocker has (un)intentional backdoors and anyone with access to a search engine and physical access to your machine can gain admin rights. If you want to “lock down” your system, don’t use Windows. If you use Windows I hope you can trust those you share your computer with.

    I have a loner laptop with a strict SRP and I know it can be pwned so I always restore a system image before allowing it back on my network. Sorry folks Windows = insecurity. It’s “policy” at MS and has been forever.

Enter Your Email Here to Get Access for Free:

Go check your email!