Windows 7: Limited account, restrict apps, but has install rights

Dear Seven members,

I am running Windows 7 Prof x64 and I want to add a limited user account. I will be leaving home for about 6 months and a friend will be using my computer in the meantime. this means I won't be able to access the computer in that time.

I want to create an account for him, which allows him to install apps and do everything he wants, but I want to prevent him from using certain programs. Also I would like to block some folders that have private stuff.

Is it possible to do this using Group Policy in Windows?

Thanks in advance,

Nick

You could protect the private data with some form of encryption, [Bitlocker, Truecrypt], but the program use may be more of an issue, As they will have permissions to install programs they can install anything you try to block.

Personally I would create a full image backup of the system, and a data backup, then remove the Current user info, programs and data completely.

When you return you can then reset the system to the way it is now and remove any changes

Hm hadn't thought of encryption software. Good point! Do you have any recommendations regarding them? I will need to encrypt some folders, but not complete hard drives or partitions.

The problem I have with a system back-up, is that it takes forever to do. When I do my weekly back-up it takes about 4 hours to completely back-up my system and my data.

Subsequently removing most applications is also not an option, because that also takes a long time. I have several large apps from my university. A 3D-CAD system, a finite-element analysis tool and a host of other programs. Removing them takes a long time.
If this could be done in advance, it's not a problem. However, I will be using the computer up to the moment I am leaving (save for a few hours or a day). I don't have time do all that the day before I leave.

So if you've got some other tips, I'd be very happy. Is it possible to restrict certain apps on an account with admin rights using group policy? I saw in the group policy editor, that you can restrict some apps, but I have no idea what it does or how it works.

Oh btw, I don't need high-security encryption. A password will do. After all he is a friend not a cyber criminal.

Hi there
the best 9and easiest) solution IMO is to do as a previous poster said

1) Image the system (i.e full backup)
2) Uninstall any app you don't want the user to access
3) delete ALL your private data (ensure its backed up first)
4) delete email account / email data and user data of your own account.

When you return just wipe the computer clean and re-install the image you made before you left. Use something like Acronis or Macrium as you can create a bootable restore -- you start the program via booting from a USB / DVD / external HDD. You don't have to worry about leaving an administrator account on the PC.

Much easier than mucking about with encryption / data access etc etc and the whole restore will only take around 20 mins anyway.

Cheers
jimbo

Have a look at Truecrypt, which is capable of encrypting entire operating systems.

It may be possible to create an encrypted partition and re-install your sensitive apps to this, (prior to leaving ), and it is also useful for data protection of course.

What about blocking those programs with SRP (Software Restriction Policies)? ....pretty simple. For the folders problem: How To Lock And Password Protect Folder In Windows 7/Vista I would try to block the user with permissions (security tab of the folder) first.

The user will have administrator access so any blocking needs to be done with a 3rd party solution, with password protection

If a user is an admin he will have access to the whole system. The only way to protect the data is to encrypt it or remove it. I think your best bet is to back up your personal data (not a bad idea if you are going to be leaving your PC for 6 months), and then delete it.

As for disabling some applications - how about deleting key files from those apps? Probably simply deleting the main exe will do. Just make sure you back it up in a secure place. This will be much faster than uninstalling everything.