1

I have a Windows 7 computer with two users. One of them is Administrator the other is limited user.

Limited user should have access to the internet but should not have access to any network shares of any computers in LAN. Best if he didn't even see that there are any computers and work groups in LAN.

Administrator user should have normal access to internet and LAN.

How can I achieve this?

EDIT:

I can't control other computers in LAN.

Do you think that leaving Home Group on this computer might be sufficient?

Kamil Szot
  • 183
  • 2
  • 10
  • I don't think there is any clean way to achieve this in windows, at least without stupid stuff like setting the firewall to block all IPs in the LAN outbound except the default gateway, and having the admin manually enable/disable the firewall configuration when they login/out. Filesharing is just too integrated into the OS, and you can't disable it outright on a per user basis. Sharing access is all determined by the remote computer, so if you can't control that, there isn't a lot you can do except to try to disable SMB or otherwise block it, but those are global configurations. – Frank Thomas May 10 '19 at 07:29

2 Answers2

0

There might very well be better solutions. But here is one:

  1. Don't give that user permissions on your shares, or even deny them explicitly
  2. Disable the computer browser service for that user. A really primitive approach would be setting it to disabled and since you need to be admin to enable it, you yourself can and your user cannot. another approach would be a logon/logoff script that does it.
TheUser1024
  • 2,901
  • 1
  • 17
  • 18
0

This is has a much larger answer than you may expect, filled with a lot of variable pieces.

First, you need to consider the level of knowledge of your "user". If a highly-advanced user (or hacker) can sit at the computer... there is very little s/he can't do. A tech-savvy-user may know how to access shares directly, but probably can't do much more when presented with a basic "access denied" message. A typical user won't know how to access a network share unless there is a shortcut for them.

What you mean by "network shares"? Are you talking about an actual "Windows Network Share"on a separate Windows Server? If so, just set permissions to allow/restrict users as you see fit. As a general rule, if a user does not have permissions on a network share, he can't access them. Browsing to \some-server\share will result in a friendly logon prompt requiring a username/password (if he is not logged into a domain) or simply an "Access Denied" message (if he is logged into a domain and does not have permissions). Permissions could be assigned to the administrator to give him whatever he needs. As far as "hiding it" goes... this goes back to the level of skill the user has. You can't filter network connections by user, only by IP address, port, or other "network" attribute. Once the network connection is established, then you're at the mercy of the application-layer to maintain security. Unfortunately, there is no way to apply a group-policy object on firewall rules per-user.

If you want to restrict the "appearance" of network-shares, you can do quite a bit with group-policies that can obscure or limit the view of various network shares... but this discussion can get quite lengthy and really should not be done lightly.

If you're talking about a Network-Share on a "home-grade" appliance (router? nas? ???) with a partially-implemented SMB stack, you're really at the mercy of the manufacturer. If it doesn't ask for a user/password, there's not much you can do.

If you're talking about something else... we need more information.

TheCompWiz
  • 10,602
  • 1
  • 23
  • 21