Applying Advanced Security Settings In Windows XP


To view and edit NTFS permissions for a file or folder, right-click its icon, select Properties, and then click the Security tab. This dialog box lists all the groups and users with permissions set for the selected object. As the example in Figure shows, you can assign different permissions to each user—in this case, Katy can read and play (Execute) files in the Music Downloads folder but is prohibited to change existing files (Modify) or create new ones (Write).

In Windows XP, the owner of a file or folder (normally the person who creates the file) has the right to permit or deny access to that resource. As well, members of the Administrators group and other certified users can grant or reject permissions. You can add individual users to the list of users and permit or reject specific types of file and folder actions. You can also assign permissions to built-in groups (Administrators, for instance) or create your own groups and assign permissions that way. As we’ll explain later in this section, some permission doesn’t require to be explicitly defined but instead are inherited based on permissions from a parent folder. All permissions are stored in the file system as part of the access control list (ACL).


Figure. View and edit permissions for the selected user in the list at the bottom of this dialog box; each user or group can have a different set of permissions.

If the user or group whose permissions you want to edit is already listed at the top of the Security tab, you can select check boxes in the Allow column to add permissions, or clear boxes to remove permissions. Select check boxes in the Deny column only if you want to explicitly forbid certain users from exercising a specific permission. Deny access control entries take precedence over any other permission settings that apply to an account, such as those granted through membership in a group. If you want to completely lock out a specific user or group from access to a selected file or folder, select the Deny check box on the Full Control line.