The file system in Windows XP is based on Windows NT and Windows 2000, so many of its features are new to users of Windows 95, 98, and Me.  In this article, we'll show you how to set up your Windows XP Professional computer to share its disks and folders with other Windows computers on a network, give access to desired users, and keep other users out.

In Windows 95/98/Me, you can assign a password to a shared disk or folder, so that only people who know the password can gain access.  That works well in a small home network where, for example, Mom and Dad know the password to the family's financial data, but Junior doesn't.  But it isn't practical in a large corporate network, where Windows XP Professional is likely to be used.  It's hard to keep a password secret in a large company, and changing to a new password requires giving it to everyone who needs to use it.

Windows XP Professional replaces password-based security with two alternatives:

• Simple File Sharing is enabled by default on Windows XP Professional systems that are members of a workgroup (typically used in small networks) rather than a domain (typically used in large corporate networks).  For full details, see our article on Simple File Sharing.There are no passwords or access restrictions and, with one exception described in the article, everything that's shared is accessible by everyone on the network.  Simple File Sharing is the only type of sharing available in Windows XP Home Edition.
• By disabling Simple File Sharing, you can specify an Access Control List (ACL) for each shared disk or folder.  The ACL specifies which users are allowed to have access.

We'll show you how to configure Windows XP Professional to:

• Disable Simple File Sharing for increased security and control;
• Create user accounts and user groups;
• Share a disk or folder;
• Set up Access Control Lists;
• Allow network access by users without passwords.

To illustrate the concepts, we'll:

• Create user accounts for four people: Alasdair, Fraser, Iona, and Catriona;
• Create shared folders called Girlstuff, Boystuff, and Kidstuff, which will allow different levels of access to different people.  Boystuff will be accessible to Alasdair and Fraser, Girlstuff will be accessible to Iona and Catriona, and Kidstuff will accessible to them all;
• See how the users access the shared folders.

Finally, we'll show you how to access Windows XP Professional's shared disks and folders from another computer on the network, adding some information about file permissions in the NTFS file system, and giving solutions for some common network access problems.

Disable Simple File Sharing

Disabling Simple File Sharing is necessary in order to enable the creation of Access Control Lists for shared disks and folders:

1. Click Start | My Computer | Tools | Folder Options | View.
2. Scroll to the bottom of the list of advanced settings and un-check Use Simple File Sharing (Recommended).
3. Click OK.

Create User Accounts

There are a couple of ways to do this, but let's start simply by clicking Start | Control Panel | User Accounts.  We describe a more comprehensive method later.

You'll see all of the existing accounts on the computer. You probably created these when you installed Windows XP. You'll also see the Guest account. It may or may not be enabled, depending on whether you have previously enabled Simple File Sharing.

Click Create a new account, and enter the new user's name.  Here, we're creating an account for Alasdair:

Click Next, and choose the account type. This determines (rather simplistically) which group the user will be placed in. There's generally no good reason to grant remote users Computer administrator privileges, so select Limited, and then click Create Account.  The new account appears in the User Accounts window.

Repeat as required until all of the desired user accounts are created.

User Accounts: Password or No Password?

By default, a user account is created with no password.  This means the user may sit down locally at the XP machine and log on without entering a password.

However, by default, Windows XP will not permit a network user to access the XP machine using an account set up without a password!

You have two options on how to proceed from here:

• If you want any degree of security, assign user passwords. This will, however, require the users to log on to their client machines using a password.
• Many people prefer to set up their Windows 95/98/Me machines using Windows Logon and no password, so the machine boots directly to the Windows desktop without a logon prompt.  In this case, you need to make a Security Policy modification on the XP Professional machine to permit users without passwords to connect from the network.

Taking each option in turn:

Adding a Password to a User Account

In Control Panel | User Accounts, click the desired account, and then click Create a password.  Enter the password, and then enter it again to confirm it.  Enter a password hint if you'd like – a user who forgets the password can look at the hint at the logon screen as a memory aid. Then click Create Password to make it take effect.

In the User Accounts menu in Control Panel, the user account now shows as being Password protected:

The user must now log on to his or her local computer using that password.

Permitting Network Access Without a Password

To allow users to log onto their computers without a password and then access the XP Professional machine without a password, you must make a security policy change:

1. Go to Control Panel | Performance and Maintenance | Administrative Tools | Local Security Policy.
2. Expand Local Policies | Security Options.
3. Double-click Accounts: Limit local account use of blank passwords to console login only, which is enabled by default. Disable this option and click OK.

This will permit network access without a password. The user's computer can boot directly to the Windows desktop, and be validated against the corresponding XP Professional user account, without a password.

Note that the term “blank passwords” isn't technically accurate.  There's a difference between having a password which consists of one or more blank characters, and having no password at all.  This setting actually permits access by users who have no password at all. 

Power User Tip: If you want to explore user accounts in the raw:

1. Click Start | Control Panel | Performance and Maintenance | Administrative Tools | Computer Management.
2. Open the Local Users and Groups folder, and open the Users folder.

Here are your user accounts! You can fine-tune their settings from here or create new users using the Action | New User menu option!

Create User Groups

You may wish to group users together for administrative convenience.  For example, a university might define groups of users called Staff and Students.  Settings that you make for a group automatically apply to all of the users in the group, so you don't have to make the same settings individually for each user.

You can create as many groups as you like, include any number of users in each group, and include each user in any number of groups.  Here's an example of creating a new group:

1. From the Computer Management window, open System Tools | Local Users and Groups | Groups;
2. Select Action | New Group;
3. Give the new group a name and description;
4. Click Add to add users to the new group.
5. In the Select Users window, set the Object Type to Users and click OK.  The Location should show the name of your computer.
6. Click Advanced, and then click Find Now to see a list of user accounts.
7. Select users who you wish to be members of the new group. You can make multiple selections by holding down <Ctrl>- whilst clicking.
8. Click OK twice.

Click Create to create the new group.  It can now be added to shares, the same way as individual users.

Create Shares

In this example, we've used Windows Explorer to browse to the root directory of the C: drive.  In the right-hand pane, we right-click, select New | Folder, and enter the name Boystuff.  Similarly, we create folders called Girlstuff and Kidstuff.

To specify sharing options for the Boystuff folder:

1. Right-click the folder and select Sharing and Security.
2. On the Sharing tab, select Share this folder and enter a share name.
3. Add a comment if desired.  This comment describes the share and appears in My Network Places on other computers.
4. Leave the User limit alone. On XP professional, the maximum limit is 10.

Set Up Access Control Lists on the Shares

Click Permissions.  Notice how, by default, the Everyone group has Full Control. This means that all users can read, write, and even delete files.  That's not what we want at all!

To change the share permissions:

1. Click Add, and then choose Object Types.
2. Un-check Built-in security principles and Groups, because we only want to see Users. 
3. Click OK.  From this location should show the name of your computer.
4. Choose Advanced, and click Find Now.
5. Click on the users who should have access this share.

Power User Tip: Ctrl-Click allows you to make multiple selections!

Click OK, and the users are added:

You may repeat this to add additional users.  When done, click OK.

You're now back at the ACL editor.  By default, the newly-added users have read-only access. If you want them to have read/write access, then tick the Change box. You need to do this for each user! Select each user in the list in turn, and specify Change permission. Don't give limited users Full Control.

To prevent Guest access to this share, we must remove the Everyone group!  Select it, and click Remove.

The ACL is now as we want it: Boystuff is only accessible by Alasdair and Fraser. Click OK to close the ACL permissions window.

Then click OK to close the share properties.  Now, only the specified users can access the shared folder!

Right-click the Girlstuff folder, then repeat the procedure above to give Iona and Catriona Change permission for the share. Remember to remove the Everyone group!

Finally, right-click the Kidstuff folder, and repeat the procedure to give all the kids Change permission for the share. Again, remember to remove the Everyone group.

The share permissions are now set up on the XP Professional machine!

NTFS Permissions

The Access Control List is a tool for protecting network shares, but it doesn't stop someone from walking up to the computer, logging in, and looking at the files on the computer. Share permission and ACLs don't apply to a user who logs in locally. To keep files private from other local users, Windows XP provides a different mechanism.  You can assign permissions to individual files and folders at file system level. This is called File Permissions, and it's only available on NTFS volumes. You can't set File Permissions on FAT volumes.

By default, Windows XP uses File Permissions only in the Documents and Settings folder, to keep each user's documents private from other users. When a user logs on locally for the first time, his 'Home Directory' is created within the Documents and Settings folder. The default settings for all of the folders and files in each user's My Documents folder are:

• The owner of the file or folder has read and write permission;
• Local Computer Administrators have read and write permission;
• Nobody else may read or write to the folder or the files in it.

Notice that Administrators can look into the user's My Documents folder.  Be aware that any user accounts that you created when you installed XP are Administrator accounts, and that they can all look into each other's My Documents folders!  Individual users may step up the security a notch to remove Administrators from the list. Then, only that individual user can access his or her own files. When a user with an Administrator account sets a password on the account, Windows XP automatically prompts the user to step up the security on My Documents.  It's then called Private.

In order access shared data, a user connecting from the network needs to get past both gatekeepers:

• The ACL must allow access to the share;
• The NTFS File Permissions must allow access to the file.

Having set up the share permissions, do we now need to do anything with NTFS permissions?

The short answer is 'It Depends'.

If the shared folder is contained within Documents and Settings (e.g. the My Documents folder), then you might. This is because Windows XP sets NTFS permissions within this folder structure to prevent users from accessing each other's data. It depends on whether the user accounts are Limited or Administrators, and it also depends on whether the shared folder has been previously marked as Private.

If you created a folder structure elsewhere, then you most likely do not need to do anything more.  The necessary permissions will be 'inherited', ultimately from the root folder, e.g. C:\

In the example we've used so far, we don't need to do any further configuration for everything to work.

Power User Information: To see why, look at the NTFS permissions. Run Windows Explorer, and browse to c:\Boystuff.  Right-click the folder and select Sharing and Security.  Go to the Security tab and look at the list. Note that the permissions are additive. Apart from yourself and Administrators, how can the users Alasdair and Fraser access the data in this share? It looks like they are not included on the NTFS permissions!

The answer is due to their membership in the Users group.

Click the Users group to see what permissions it has.

They seem to have Read-only access.  Yet, if you try it, they have Write access, too!  How can this be?

Scroll down, and see they have 'Special' permissions.  This is gray, indicating they've inherited this permission from a parent folder.

What, pray tell, is Special Permission?  Click Advanced to see.  In the Permission entries window, double-click Allow Users(RONS-PC\Users) Special Inherited From C:\. You'll see that it has inherited Write permission from the Root folder:

Connecting to a Share from a Client Computer

When a user on another computer on the network attempts to access a shared disk or folder, Windows XP Professional checks to see whether that user has permission to access it.  The client computer sends the user name and password of the user who is currently logged in, and the XP Professional computer checks them.  If those ‘credentials' match an account on XP Professional, then it checks the ACL for the shared disk or folder.  If the ACL permits access by that user, access is granted; if not, access is denied.

On a client running Windows 95, 98, or Me, that's the whole story.  The user must be logged in with a user name and password that XP Professional recognizes.

On a client running Windows 2000 or XP, there's more to the story.  If XP Professional doesn't recognize the logged-in user name and password, it causes the client computer to prompt the user to enter a different user name and password. 

Connecting to a Share from Windows 95, 98, or Me

The fol