I have been using the built in Windows "Guest" account for many years. The main reason why I love the "Guest" account is that I do not have to set special NTFS file permissions on a per folder/file/drive basis. For example, I let my kids login to my PC using the guest account and I am 100% confident that my PC is secure from accidental file deletion/moves. For example, it is impossible for the kids to accidentally delete the "Family Photos" folder or ANY file in ANY directory since they are immediately presented with a prompt for "Administrator" credentials. Fantastic.. way to go Microsoft.. seriously no sarcasm here!
However, I have two major concerns/questions as of late:
With Windows 10, MS has completely did away with the "Guest" account. This alone is enough for me to put my foot down when it comes to upgrading to Win 10. If I manually create a "Guest" user group I literally have to set NTFS file permissions on every single file. I tried doing this on the single folder "Family Photos" and the OS displayed a dialog for updating permissions of each individual file/sub-folder. This took hours. This is not feasible to manage. I even tried creating a new user and ensuring that they only belonged to the "Guests" group. I discovered this account still had escalated permissions that allowed them to delete files and folders. So as far as I can tell, I would need to manually manage every single file/folder on multiple drives in order for this approach work. That would be insane! So my first question is whether anyone knows how to create a "real" guest account the way that the OS manages the special "Guest" account?
Next I have a closely related to question 1. I have recently tried to use the MS Family Safety feature of Windows 8.1. Based upon what I've read, it sounds pretty fantastic and would allow my kids to login with personalized accounts instead of forcing them to share the guest account. However, after adding a child account to the system, I logged in with the child's account and discovered that the account had enough privilege to delete files/folders and do some serious damage to my data! So, I tried using the old Microsoft Management Console (MMC) to manage "Local Accounts" the old school way. I removed the child from all groups aside from "Guests." However, I encountered the same problem as described in question 1 above.
I'm sure there are thousands of people out there that have the same problem/concern. My research leads me to believe that Microsoft has built in logic at the OS level in order to handle the guest account. Why something so logical and simple has been stripped away in the latest OS (Windows 10) is beyond me. And why I can't add multiple users as "guest" accounts also seems to be a major shortcoming in the OS.
In fact, I recall when Windows NT first came out (and ever since,) Microsoft has always recommended not running as an administrator account for security reasons. For example, if I'm logged in as a guest user and I visit a malicious website by mistake, the site will only have the privilege of the current guest user so no damage can be done. This makes 100% sense. So, why is that ability stripped out of the latest OS!?
Any help/suggestions would be great appreciated.
Best Answer
Here's what I did on Windows 10 to provide a user login for some visiting guests: I created a new standard user named "anyone". Then I set the properties for the C drive to deny all permissions for "anyone". (I had to add "anyone" to the list.)
Setting those permissions did run for a while.
Now "anyone" can run programs, including the Chrome browser, which is all I cared about, but has no access to the C drive, so can't even list the folders there. "anyone" still has access to its own Document, Photos, Downloads, etc., but no way to get to them via the C drive.
This is pretty restrictive, which is what I wanted. It may be too restrictive for the case you described.