Need help understanding users and permissions to secure new system

Hello! I am migrating from a Windows XP SP+ system to a new Windows 7 64-bit
system. I have repartitioned my drive to have a new E: partition so that I can
keep my user data separate from the OS. I did this in accordance with this page:

Move Your Data to a Safer, Separate Partition in Windows 7 - PCWorld

Someone noted in the comments to this page

"One bit of advice I would like to add: Once you've moved your user folders to that new partition, check the ACLs (access control lists) of your user folders to be sure that they have the permissions as you want them to be. After I moved the data folders on my computer to a separate data partition, all users were able to see each others' data. The ACLs appear on the Security tab of the folders' properties."

I am now checking them, and I am confused by what I see. There are
four group or user names listed in the Security tab for each folder:

Authenticated user
SYSTEM
Administrators
Users

Am I correct in assuming that

Authenticated user = Anyone who has successfully logged in with a password
Administrators = Anyone who has an administrator account, including the
built-in Administrator account

Is Users a superset or subset of 'Authenticated users?' Is every authenticated
user also a User, or are Users only those people who have logged in without a
password?

I'm also trying to understand the file permissions that are allowed. There
is a 'Read & execute' permission that is allowed for all groups. Is there any
way to have a file be executable but not readable?

I assume that Administrators should have access to everything (and will
probably get it anyway regardless of what setting I choose), but what
about items in the SYSTEM group?

What does the Read attribute really mean? The help on "Permission
Entry Dialog Box" mentions three types of read permissions: Read Data,
Read Attributes, and Read Extended Attributes. I'm hoping that Read
really means Read Attributes (seeing that the file is there) rather than
Read Data (view the contents of the file).

In any case, it looks like my folders all currently allow Modify,
Read & execute, List folder contents, Read, and Write for every
Authenticated user, which is not what I would want. I'm guessing
that I should turn off Modify and Write (since those are the permissions
for non-Authenticated users), but I'd appreciate some feedback on Read.

While my old machine runs XP, I've never learned to much about Windows'
permissions, since I'm the sole user of the machine. Now that I'm moving
to a laptop and creating several accounts, I know I need to be more
paranoid about security. But I'm really most comfortable in the UNIX
world, where I'm used to the user-group-others paradigm. So any
insights will be appreciated.

Kari said:

Hi FluffyBunny, welcome to the Seven Forums.

First, the difference between Users and Authenticated Users is that Users only contain users of that local PC, whereas Authenticated Users also contain the domain or Active Directory users. This Microsoft TechNet article explains more: Appendix D - User and Group Accounts

The read attribute means the user can view the contents of the file.

Personally I find those instructions you linked to be not so good. It's OK if you only want to relocate Documents folder but then it gets very complicated. I would rather use one of these methods:

• User Profile - Change Default Location
• User Folders - Change Default Location
• User Profiles - Create and Move During Windows 7 Installation

Kari

I only care about relocating the files under C:\Users\AccountName, so I
hope what I already did will be good enough for now. However, would it
be safe for me to do OPTION TWO of the first link above,

To Change the Default User Profile Location of New User Accounts

It would be nice if all new accounts would create their folders
on the E: drive by default. I already have an E:\Users folder
for them to be stored in.

Finally, can you recommend any good books that discuss
these issues in more depth? I only have O'Reilly's
"Windows 7 Annoyances" so far. It has some good
information, but is not always that well organized,
and doesn't cover every topic. I have read good
reviews of "Windows Inside Out" but when I leafed
through it at the store, I wasn't sure it went into enough
depth. (I don't remember seeing much discussion of
drive partitioning, and I'm pretty sure it had no discussion
of virtualization, another topic I'm interested in, since I'd
like to run Ubuntu in VirtualBox eventually.) Thanks for
your feedback!

Kari,

>That option 2 in Brink's tutorial does exactly what you want to, locates all new user profiles to another drive.

Excellent; I'll try that.

>About the literature. Windows 7 Inside Out is my favorite Windows 7 book, it goes quite deep (Windows 7 Inside Out). Here's a free eBook: Download details: Windows 7 Product Guide. And, IMO the best Windows 7 learning material: Windows 7 Training | Windows 7 Certification | Windows Vista Training | Training Portal.

Thanks for the list. I'll take another look at "Windows Inside Out."

>Not knowing how familiar you are with Ubuntu and VirtualBox, here's a complete walk-through: Linux - Install on Windows 7 Virtual Machine using VirtualBox

I have some experience with Ubuntu, but haven't tried VirtualBox yet.
I have bookmarked the walk-through for future reference.

Many thanks for your quick feedback! I should be okay for now.
After getting these issues fixed up, it will be time to take the plunge
and connect to a network. I'll start a new topic if any issues arise
with that. Thanks again.

Alas, it appears that I spoke too soon. First, I changed the
ProfilesDirectory entry in regedit and then tried to create a
new account. When I did so, the new account name did not
appear in EITHER C:\Users or E:\Users (where I wanted it).
I even tried rebooting to make sure the changes in regedit
had taken effect, but even after a reboot, creating a new
account did not create any new folders in either directory.

Then I tried changing the permissions of the folders I had
already moved to E:\Users (for a total of three accounts -
these were existing accounts, not the one I just created).
For each folder, for the authenticated users and ordinary
users, I tried to Deny the Modify, Read & execute, List
folder contents, and Read and Write permissions. But when
I tried to click Apply or OK, I got an "Error Applying Security"
dialog:

An error occurred when applying security information to

E:\Users\admin\Contacts

Access is denied.

(Note: Account admin is an administrative account.)
If I click Continue, it shows the dialog a couple more times
and then it goes away. It comes back again if I try to click
OK on the main Properties windows. If I click Cancel a couple
of times, I get the "Windows Security" dialog

Stopping the propagation of permission settings leads to an
inconsistent state, in which some objects have the settings but
others don't. If you made the change by mistake, you should
apply the correct change immediately to achieve a consistent
state.

If I click OK to dismiss the dialog, I can't get out of the Properties
window. If I click Edit, Advanced, or Cancel, nothing happens, so
it appears I can't undo the 'mistake.' I can't close the window with
Alt-F4 either. How can I get out of this mess? (Hopefully without
leaving all my files visible to the world?) I find it very disturbing that
Windows 7 can so easily be put into an unusable state.

Aha! Thank you for that key piece of information. I had
in fact NOT logged into the newly created account. When
I logged into that account and opened up Explorer, I found
that a new set of folders had been created in E:\Users, as
I originally hoped. Yay!! One problem solved! And one
lesson learned.

Now can I get back to panicking about my file permissions?
When I logged back into the admin account, I found I'm
still stuck in the same dialog box. Any suggestions you
can offer will be greatly appreciated.