multi-users: how to prevent altering executables, but allow config?

[live]

Hi,

OS: Win7 family premium home 64 bits

I have several accounts on a PC, only one has admin priviledge.

How do I prevent all users to delete/alter/create/add the content of a folder and its sub-folders, in particular exe and dll, but allow text files such as config & log files to be altered/modified/created?

By preventing, I wish either some password confirmation - just as for the parental check - or at least like the command enforce to run with admin priviledges.

Even, the admin account shouldn't be allowed to delete without having a mechanism like the command to run with admin priviledges, e.g. chkdsk.

Many thanks.

 

[Alejandro85]

What you describe is pretty much the default file system structure in Windows. Some predefined folders together with their default access permissions make this scenario the common rule rather than an exception.

Program code and assets should go into program files (by default "c:\program files" and "c:\program files (x86)"). This location is read only for standard users but allow admins to write there, which makes sense in tht normal users cannot install or modify programs but still can run them. It's also the reason why installers always ask for elevation.

Configuration files, all user-generated data and such should go into the user profile instead (c:\users\<username>, by default). This location is read-write for this particular user and non-accesible for anyone else (save admins, of course). This makes the ideal location for configuration files, within AppData or user documents, using documents, desktop or similar per-user folders. Not only this distribution fulfills your requirement, but also provides isolation for each user settings, as each one gets his own copy of the data files (this being the reason why each account gets a different desktop settings, etc.).

By just installing that program in such default locations you immediately get all you want, plus being enforced by the OS itself. Users attempting to change the exe or similar will just get an access denied or UAC prompt at most, which only the admin can elevate to carry out the action. While user data is fully accessible to each one, but isolated from others.

 

[live]

Thanks Alejandro85, but

1/ "c:\program files (x86)" is dedicated for 32 bits apps, while "c:\program files" for 64 bits and one may wish(I do) not to make this distinction.

2/ Some apps "cannot run from 'C:\Program Files (x86)' folder!", see for instance:
* RBTray Portable cannot run from "C:\Program Files" folder!? | PortableApps.com - Portable software for USB, portable and cloud drives
* http://www.sevenforums.com/software/214394-cant-run-installed-program-within-program-files-x86.html