Windows 7: Windows 7 Public network profile

Under "Advanced sharing settings", one can really turn off a lot of network sharing features to secure a computer.

The "Public folder sharing" switch allows one to turn off Public folder sharing, but people logged on to "this" computer can still access these folders. Does anyone know if this means *remote* login? If so, is there a way to deactivate this so that it is only accessible at the "console"? And by Public folder, does that mean a folder that is user-specific (and controlled by owning user), but open to the public? Or does it mean a file space "commons", accessible and controlled by all users?

The "Password protected sharing" switch allows one to restrict access to the computer to only those who have an account and password on the computer. Again, is there a way to ensure that access is only possible from the console?

It's probably best and most important to understand that access to shares (locally or across a network) are actually an aggregate of two seperate security settings defined in the properties of the individual file or folder being shared.
1. Share Permissions (for users comming at you from across the network) defined under the sharing tab in file and or folder properties.
2. NTFS Permissions (for users setting at the console) defined under the security tab in file and or folder properties.
When these two permissions are defined, they are combined and the most restrictive is what is actually applied to the share.
For years it has been a generally accepted practice to configure share permissions (Everyone = Full Control) and then use the NTFS Permissions to more granularly define explicitly who has access and how much access they have. I still consider this a good practice if for no other reason than it saves a lot of back checking between the two permission sets to make sure nothing is conflicting.
Additionally you need to understand that permissions can be applied to both individual users as well as groups and you need to consider this when a user is having problems accessing a file or folder to which he has explicitly been granted access. What group does he belong to, what permission does that group have to the same file or folder. If he has write access but the group he belongs to only has read access, then he will only have read access.
Here's a very good reference if you can suffer through it and learn it, you shouldn't have any permission problems going forward.
Good Luck
Randy

Randy,

That is a very understandable description of permissions. I thank you for that. It seems that there aren't just specific folders that are devoted for sharing over the network. Rather, every file and folder can be granted permissions which potentially make it accessible over the network.

Suppose that Bob accesses a computer from the console. He wishes to access the file I:/A/B/C/D/E.txt . Let's say his effective permissions for I, A, B, C, D, and E.txt vary. If the effective permissions do not allow him to see the contents of B, but let's say the permissions on E.txt allow him to write to it. Can he still do this even though he can't see past B? If so, would he need some means of accessing it other than via the path I:/A/B/C/D/E.txt?

On a different track, let's say a user on a local network (e.g. a WiFi at a Cafe or a friend's home) has no interest in opening up a computer to file access over the network. But let's say he doesn't want to permanently cripple all the permissions because he suspects that as the years wear on, he will become aware of the reasons for having file sharing. He will then want to start from a reasonable baseline of permissions and tweak from there. Is there a single point of control that simply disables the ability of the computer to share its local files, but doesn't nuke all the share permissions? Surely there must be a switch or a service that can be disabled and which will *guarantee* that file sharing will not result from some missed permissions parameter somewhere.

Actually, I think the single point of control of file sharing over the network boils down to exactly the two questions in my original post. The "Public folder sharing" that I mentioned seems to be this master switch. I hope that disabling this will override the "Password protected sharing" also mentioned. That is, those with accounts on the machine in question will be unable to access its files over the network even if "Password protected sharing" is checked. (The alternative to "Password protected sharing" is even looser.)

First part:
As long as the permissions are defined properly and the relative caveats of group membership conflicts, ntfs and share permission conflicts, and implicit permission conflicts as a result of inheritance from the parent container. Then yes the user will be able to access the file or folder as long as he knows the UNC path. He doesn't need to be able to browse to it. But remember if parent container have more restrictive permissions then inheritance will have to be explicitly broken and proper share and ntfs permissions will need to be set to support this.
Secont part:
From across the network, yes. Just turn off file and printer sharing for Microsoft networks in the properties of the network interface card you are using on the network.
Type ncpa.cpl into the search or run dialog box and hit enter. Select, then right click the network connection you are using and choose properties. Uncheck the box next to Firle and Printer Sharing and that should do it.

EDIT: Sorry I completely ignored your intial statement It's important to note two things. This is generally not a precondition of any file or folder until you set the "Share" property. But you should also note that there are hidden shares (so called default shares) which are designated with a dollar sign suffix like C$. You can see these displayed if you open a command prompt and type
net share
Password protected sharing is a defacto "best practice".

I believe with a little research you will probably find that Public Folder Sharing impacts only those things in the Public folder and it's subcontainers..
C:\Users\Public\whatever

Thanks for that clarification. Yes, I was reading it, but it wasn't registering. I was interpreting all occurances of the phrase "Public folder(s)" as any folders for which share permissions have been set up to allow access over the network.

Thanks again. The first part is very insightful. The second part is *invaluable*. And the "EDIT" part is important and useful to know. About the hidden shares, I now understand why I see the dollar sign on some of the network folders at work.