The Access Control List is a tool for protecting network shares,
but it doesn't stop someone from walking up to the computer, logging
in, and looking at the files on the computer. Share permission and
ACLs don't apply to a user who logs in locally. To keep files private
from other local users, Windows XP provides a different mechanism.
You can assign permissions to individual files and folders at file
system level. This is called File Permissions, and it's only
available on NTFS volumes. You can't set File Permissions on FAT
By default, Windows XP uses File Permissions only in the Documents
and Settings folder, to keep each user's documents private from
other users. When a user logs on locally for the first time, his
'Home Directory' is created within the Documents and Settings
folder. The default settings for all of the folders and files in
each user's My Documents folder are:
- The owner of the file or folder has read and write permission;
- Local Computer Administrators have read and write permission;
- Nobody else may read or write to the folder or the files in
Notice that Administrators can look into the user's My
Documents folder. Be aware that any user accounts that you
created when you installed XP are Administrator accounts,
and that they can all look into each other's My Documents folders!
Individual users may step up the security a notch to remove Administrators
from the list. Then, only that individual user can access his or
her own files. When a user with an Administrator account
sets a password on the account, Windows XP automatically prompts
the user to step up the security on My Documents. It's then
In order access shared data, a user connecting from the network
needs to get past both gatekeepers:
- The ACL must allow access to the share;
- The NTFS File Permissions must allow access to the file.
Having set up the share permissions, do we now need to do anything
with NTFS permissions?
The short answer is 'It Depends'.
If the shared folder is contained within Documents and Settings
(e.g. the My Documents folder), then you might. This is because
Windows XP sets NTFS permissions within this folder structure to
prevent users from accessing each other's data. It depends on whether
the user accounts are Limited or Administrators, and
it also depends on whether the shared folder has been previously
marked as Private.
If you created a folder structure elsewhere, then you most likely
do not need to do anything more. The necessary permissions will
be 'inherited', ultimately from the root folder, e.g. C:\
In the example we've used so far, we don't need to do any further
configuration for everything to work.
Power User Information: To
see why, look at the NTFS permissions. Run Windows Explorer, and
browse to c:\Boystuff. Right-click the folder and select
Sharing and Security. Go to the Security tab and
look at the list. Note that the permissions are additive. Apart
from yourself and Administrators, how can the users Alasdair
and Fraser access the data in this share? It looks like
they are not included on the NTFS permissions!
answer is due to their membership in the Users group.
Click the Users group to see what permissions it has.
seem to have Read-only access. Yet, if you try it, they have Write
access, too! How can this be?
Scroll down, and see they have 'Special' permissions. This is
gray, indicating they've inherited this permission from a parent
What, pray tell, is Special Permission? Click Advanced
to see. In the Permission entries window, double-click Allow
Users(RONS-PC\Users) Special Inherited From C:\. You'll see
that it has inherited Write permission from the Root folder: