Harold Fuchs wrote: >> >> You can find properly locked down computers in many large companies and >> some small ones. >> >> >> > If the user has physical access to a CD drive I don't believe you can > prevent execution of software from that CD. If you can, please explain > how. > > Also, the user "owns" the My Documents folder. Is it therefore > possible to restrict what the user can do with this folder *without* > the user being able to change those restrictions? > > If the user can create a directory then s/he can run software from > that newly created folder. Or ??? > I don't have an XP Professional or equivalent handy, so I can't verify the CD drive part, though it's certainly possible to disable various devices or even buy computers without such a drive.
As for permissions, yes, an administrator should be able to set the permissions, so that a user cannot write to their own folder or change the permissions to allow them to do that. The admin could give the user permission to read only and deny write, execute or modify. An admin is always superior to a user. So, if the admin says you can't write to your own directory, then that's what's going to happen. Of course, part of his job is ensuring you have sufficient permissions to do your job, so it's unlikely he'd do that. It gets really interesting on the old Novell Netware servers, where you had both permissions and inherited rights masks. The two combined to determine what you're allowed to do in a particular directory. Any servers, such as Windows servers, Unix/Linux, Netware and others have the ability to manage permissions, based on user, group or other. Consumer versions, such as XP Home have little in that respect. In Linux & Unix, you can also mount partitions or devices such as CDs as "no exec", which means that you could have a perfectly valid bit of software there, but you could never run it, because the operating system wouldn't allow it. This could even apply to a partition that's used to hold the user's home directories. This sort of thing is a course in itself for system admins. -- Use OpenOffice.org <http://www.openoffice.org> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
