Slashdot Mirror
Windows XP, Games, and Administrator Privileges?
An anonymous reader asks: "I manage my kids' computer, running Windows XP Professional, with an iron fist. They have limited access rights as I do not want them accidentally deleting the wrong file or downloading trojan software. However, software products, particularly games, fight my user management schemes at every turn. Each user on the computer is member of the 'Gamers' group. This group has full access to the games directory, the place I install all of the game software. I did this since games often need to update configuration files or write save files. Despite these changes, I still run into problems. Our latest two games, Age of Mythology and Battlefield 1942, require administrator privileges irrespective of the file privileges. I have not been able to overcome the problem and it seems, based on Googling, that others are in the same boat.
Fellow Slashdot readers, what have you done to overcome this problem?"
In the long term teaching them what they should and shouldn't do will prove to be the best option to achieve this.
1- Dual Boot (WinXp for you + Win98SE for your kids)
2- A ghost image of the win98SE partition
3- Let them play
4- Wait for them to say "Dad it doesn't work anymore !"
5- Restore your ghost backup
6- Goto 3
Seems a bit dub, but it works better and it's less a pain than managing XP user rights.
____
nico
Nico-Live
I know it's not the answer you want to hear, but maybe the best thing to do would be to give your children administrative access. Not having full access drives me absolutly crazy. I was practicly on the verge of killing someone when I realized windows likes to create empty folders in "Program Files" and write protect them against any means of destruction.
If you're still worried about your children mucking up your computer, I totally understand. I've troubleshooted so many computers that were dying of bloat. 55 Processes on boot can sure cause trouble. Consider building a second box for your kids, or even reaserch the possibility of doing a dual boot XP setup (is it possible?)
Unfortunatly a ton of programs do not adhere to the exact standards they should, and there really isn't a way around it. XP easially lets you grant someone full control, or none, but this dosen't mean every program is going to listen and act the same. The sad realty is to get anything done on a Windows box, you have to sit logged in as an admin. It's ironic that a Microsoft published game is one of the ones giving you pains...
Though, to address your current problem, you could create a new user, use the policy manager to only allow one of the troublesome games to be run, and grant them admin rights. Then use the "Run As" feature of XP to run that program as this new user, from the kids login. Just keep an eye on where the game is saving files, as it could be doing so in the new users home folder somewhere.
At lot of games should also be available on an Xbox.
Having one of those will save you the grief of having to maintain a system for gaming
I'd pass a law that all PCs should be sold with a label on them that says "this is not a tv. this is not a refridgerator. this is not a toy. this is not a consumer device. this is actually quite complicated"
:
Options include educating your children in the proper use of a PC, buying a console for the kids to play games on, or, and this is radical thought
How about going outside and playing with a ball, giving them full administrative rights over the size and shape of the ball and the rules of the game, and the option to include additional sticks.
Normally I'm nice and productive and helpful but just occasionally I feel the need to vent and troll. Today is one of those days.
erroneous: look me up in a dictionary
I've a 10 and 8 year old who play Warcraft and Age of Mythology. My fix it to let them do what they want and accept the consequences it the system broke. Sure enough it wouldn't boot after a few months.
Rather than rush to fix it, I spent a week doing nothing but said I "was doing research into how to fix the problem." The 1 week without games was sufficiently traumatic that there's been no problem since.
1000s Warcraft Gold while you sleep
Use the secondary logon service. Right click on the game program short-cut, select properties, under the "Shortcut" tab click on advanced, then check the box that says "run with different credentials".
It'll prompt you for the administrator password when you run it.
Encourage your children to be involved with reality, in which everyone is an administrator.
Use Regmon and Filemon from sysinternals.com to discover which files/keys the program is trying to modify and is failing on. Then adjust the ACLs on those files/keys so that the Gamers group has write access.
One of the conditions for obtaining the "Designed for Windows XP" Logo is that the program must be capable of being run under a Limited user account. If MS's own software isn't capable of this then you ought to report it to them as a bug.
The situation with XP home which only has "Limited" and "Administrator" account types really does not help people adopt more secure working practices.
The situation ought to improve in future but at the moment it does not seem to be something that most developers test against.
"Taligent is still pure vapor. Maybe they'll be the last who jumps up on Openstep... "
Try using VMWare.
you can isolate the game in its virtual copy of windows and grant it only limited acces to the real Network/Drives/System.
As of Postgres v6.2, time travel is no longer supported.
Microsoft appear to have a patch for this problem, I don't know if that will fix it for you.
Other ideas include giving "Gamers" full access to the "Program Files" directory in case it's trying to write there rather than your games directory.
If that doesn't work then perhaps mail the CD back and ask for a refund. There is no reason any application, least of all a game should require admin rights for normal operation, and if it does, the software is not fit for the purpose it was sold for.
It has become appallingly obvious that our technology has exceeded our humanity. --Albert Einstein
Is there a Microsoft document that defines the boundaries between the operating system and user-installed applications? I haven't run into any problems with the Windows applications that I have written, but I haven't written any particularly large and complex programs for Windows. I've always assumed that files in the installation directory, and the directory itself, should be treated as read-only. Any new or modified files should be in the user's file space.
Mea navis aericumbens anguillis abundat
I've got the same setup for family of mine where they only use internet browsing and mail as multiple users. (They don't even use fast user switching.) And even though they all use restricted accounts, they still seem to be able to corrupt system registry hive files.
;)
My advice is not to even waste your time with this. I'm sure your time is worth so much that you could have afforded another PC, or at the very least Hard drive imaging and restore software.
It's best to let kids loose on a machine, and if they mess it up, you just restore it... it's their (save game) loss.
They will learn about all those vital microsoft tricks like backing up your important data and do not install all that junk.
It's also imporant then to get them each a machine, but since you will not be wasting time admining those machines anymore, I'm sure you will have a lot more time and thus money.
I mean, really, since Win NT 4.0 the graphics drivers have had admin rights... and you are still denying this to your kids!
I think the best admin policy is education of the user. Also keep a system restore handy with software such as Norton Ghost (with all the propper patches already installed to protect against internet worms etc.) as well as good anti-virus software. Believe me, this is the cheaper solution..
If it is truly the kids computer (so you have another one with all your important data on it), then I should let them have full privileges, and let them explore the computer on their own.
How else will they know what a computer can 'really' do, if you just let them have restricted access to a single game directory.
Let them explore, let them familiarize with the computer, they learn from their mistakes: if you do something wrong, like deleting system files, you probably wont try that again.
When my parent bought me (well it was ment to be for the whole family) a 286 computer with dos installed, I knew nothing, and neither did my parents.
so I explored, and I found a 'help' command, and a 'dir' command, and I found different types of files (the ones you can execute, and others)...
So once again:
It's not that bad when something goes wrong, format the disk, and reinstall.
However I would recommend on restrincting access to the internet, so they can't accidently download malware.
Time is the only precious thing I've got left; Don't waste it
Now that you mention it, I have often wondered about all of those processes, and which ones might be safe to kill (or preclude from starting in the first place...).
/or Win98 have crossed my path (if not my eyes... ;-)
/.ers?
Are there any lists - by Win op sys - that
spells out what they are/do, when it's safe to (preclude starting or) kill them & which file(s) get loaded to become that process (eg so we can watch for growth in the file names, suggesting viral additives)?
Also, weren't there some groups that had come
up with "minimal Windows" configurations for
various operating systems?
Today, our main Windows op sys is NT 4.0 Workstation, but a few Win95 &
We're the dope, fellow
These kinds of problems are most certainly related to file and/or registry permissions. Working at a K-12, I'm often troubleshooting software that won't run as a normal user. I've found the majority of the problems are related to poorly written software trying to add and modify files to the SYSTEMROOT directory (usually c:\windows or c:\winnt). The rest are usually solved by opening up permissions on the applications registry keys under HKLM.
Get yourself a copy of RegMon and FileMon from Sysinternals. You'll need to logon as an Administrator, start up reg or filemon, then do a RunAs on the application to run it as a normal user. You'll probably want to filter the output of reg/filemon to only show activity of the app itself, otherwise you'll be looking at all activity on the system. Look for ACCESS DENIED errors in places where normal users can't usually write. Slowly open up those areas to modify access until you've found a solution.
"Start --> Help --> Search --> Power Users" to get a list of the things Power Users are able to do and what they are restricted from doing.
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
You'll send them Micheal Jackson's house for a night?
How bout creating a FAT32 partition where you put all your games on? And maybe move the My Documents folder for the game-user to the same partition or something?
Are you a BOFH or not ? Just because they're your kids, they shouldn't go away without a good LART .
-
Roses are #FF0000, Violets are #0000FF, find / -name '*base*' |xargs chown -R us && mv zig greatjustice
Create a shortcut and use "RunAs" to run it under an administrator account.
Works fine for me for other games.
I understand the sentiment that people think you should just teach them to not do stupid things and give them full access. While that is nice in theory, it is hard to teach children, especially younger children the important lessons without burning through a few computers. Unfortunately, the brighter they are, the more likely they are to break something. On occasion I head home and every time I do I have to fix two machines FILLED with Trojan programs and spyware. I educate, but there is only so much I can do. Kids are stupid and can be tricked, pure and simple. If you have a shared computer that does serious work, then it means constantly fighting the crap that gets on just to keep important things running. If someone could answer this question, I would appreciate so I don't have to constantly be battling to keep these computers working.
The best solution of course is to get them their own computer to use and destroy. This is fine if your kid just wants to beat around the Internet as you can buy a cheap POS computer for pocket change these days. However, if you have a young aspiring gamer it becomes much more difficult, as a gamer needs something with power behind it. Dropping a couple thousand dollars just for a kid to have his own computer no one else uses is a rather expensive proposition.
What I would REALLY like answered is if there is a way on an XP machine to keep Trojans and spyware programs out. Yes, I know adaware and spybot can clean this stuff, but I have found that most of the time it is far too late and the damage is done. Does anyone have any good suggestions for keepings this crap off in the first place?
One other thing you might consider is the fact that Windows XP initiates the Compatibility Engine on a lot of games. One game I can think of right off the bat that does is The Sims. A user needs to be either in the Power Users or the Administrators group in order to run a game or any other application with this engine included in use.
There are a few things you might consider doing. First would to be to google to figure out how one might add the "lesser" users to be able to use the compatibility engine, or at least to run those particular applications (games) with elevated privledges. Another is to write a simple script to use the "runas" command to automatically run a program as administrator using a cached password (in the registry) to run the game in question and then creating a shortcut to that script on the desktop (or wherever) to run the game.
One other thing you can do is add your kids to the power users group then use the Local Security Settings mmc and right-click on "Software Restriction Policies" and chose "Create New Policies." You then can start creating rules of what directories are accessable on the computer (make sure in the "Enforcement" policy to choose "All users except local administrators", you don't want to lock yourself out). You can refine which folders they are granted or denied access to by right-clicking on the "Additional Rules" folder and choosing a new "hash" rule to specify a particular application itself, or a new "path rule" to specify an application path (which'll include EVERYTHING in all subfolders within that path.)
These are just a few ideas to get you started down the path.
Unique.
I have found this to be the case, too. I didn't want my gf's son (an 8 year old) having admin access on my XP machine, but half the damn games required admin access.
This required rightclicking on the game's shortcut, selecting 'run as' and calling me over to type in my admin password... several times a day! )(#@()$*@#()$&@#$@#
Its not that programs want to write to the registry, or system files, or anything else.
It simply seems to be the cd copy protection... most games have various types of cd copy protection (i dunno, daemon tools can emulate most of them when it mounts iso's, but anyway). It seems the games require admin access to perform their little sneaky copy protection checks on the CD...
Personally i think this is a real pain in the damn ass (why do we need the CD in there anyway! The game is already installed FFS) and now we require to give all kids admin access on XP machines just to play games! Its a damn nightmare.
No wonder we hate software manufactureres for all their sneaky copy protection, serial keys, product activation, and now needing admin access to run anything.... *sighs*
I'm glad i bought my titanium powerbook. And last week i bought a used G4 cube. Forget windows....
D.
You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
Why don't you make a gaming system just for them and one for you.
Install XP Pro or Home (whichever you have) on each partition.
Give the kids admin to *their* OS partition. Wait for them to muck it up, reboot into *your* partition and play your games whilst laughing about how your OS partition works!!
You will probably find that many many games require essentially "root"/Administrator/System access to hardware like CD players to verify whether there is really a CD in the drive. It is stupid and sucks. There are a couple of programs that allow you to mount CD images on disk...but I don't know how shady or legitimate such software is...and I still think some games somehow really really touch hardware...they do some out of band calls directly to hardware or something.
It's 10 PM. Do you know if you're un-American?
A list of system processes, what they are for etc.s pro/pr ocesslibrary/
http://www.liutilities.com/products/wintask
A lot of system services share process space with each other. You will have 3 or more svchost processes. To find out which services are safe to disable.
http://www.blackviper.com/WinXP/servicecfg.htm
"Taligent is still pure vapor. Maybe they'll be the last who jumps up on Openstep... "
No, they don't. It says right on that page to "try logging in as an Administrator" before it says to install the fix.
The reason the games need this is because of the CD copy protection; they need to access the drive directly to be able to see whether the bad sectors/whatever hidden data they're looking for are there. You could try cracking the games and seeing if that helps, as I'm pretty sure that's the only they need Admin access - a good site for cracks is GameCopyWorld. I often use them because I'm a lazy bastard who doesn't want to risk ruining his (original!) CDs by switching them around all the time, and I've never had a problem with any of the cracks I've downloaded from there.
One other possible method.. Isn't there a way to have Windows "run as" a different user (ala +s on UNIX)? So you could have it run as some special Admin-priveleged user, while keeping them in the non-Admin account most of the time.
My English teacher once told me that two positives don't make a negative. Two words for her: Yeah, right.
I'm a Network admin (sort of learning as I do) and I am starting our PC migration to windows 2000 pro. Learned about RIS etc. The issue lies in 1 application that is used to access our POS software. It wants to modify a registry entry when it opens. I want my users to be users, not power users (to stop them from installing crap like webshots). I can't really use runas because if I change the admin pass, i have to go box to box and change it. Any ideas? Can I set permissions on registry keys?
You can try configuring the program to Run as the Administrator. I've found this helps in many cases.
/. story on such software a few weeks back. Keep your data on a separate drive / partition.
I like the ideas that have been posted of using drive imaging software to do restores of something thats completely FUBAR. While Norton Ghost works very well, there are Open Source options that are a little more work. There was a
If the hard drive is large enough, a multi boot system is an option. One install lets them into a system where they have admin rights, another lets them into a system where they don't. Have the "Work only" partition(s) hidden from the "Gaming" partition, and as long as the boot manager and the "work" partitions are untouched you can still get in to do work.
This is assuming a laptop, or a second computer or a second system on the same I/O via a KVM switch are out of the question due to cost. I love how so many people say "Just buy X, Y and Z" never thinking about the possibility that someone might not HAVE the cash on hand due to any number of options. (Saving for the Kids' college, money is tight, Johnny needs braces and the company dental plan sucks, saving for a family vacation and so on)
My home setup involves two computers. One is the Linux box that has my vital data and is used for work, the other is the "Who the Hell Cares what happens to it" Windows box for burning DVDs, gaming and general futzing around. They're both on the same KVM switch, so I can toggle between them.
"Live Free or Die." Don't like it? Then keep out of the USA
yeah, because they can really play so many FANTASTIC games under linux (and don't give me shit about emulators and the like, if you have to jump through those kind of hoops just to play a game, then windows *IS* the better solution for his needs.)
I reject your reality
If you feel like investing the time, and have another machine that can act as a Domain Server, Group Policies could help a bunch with this. Join the computer to the domain, setup the logins for your kids, and set them up as administrators. You can then configure Group Policies for their logins to strip away their access to anything you don't want them getting into. Pretty much everything from preventing desktop wallpaper changes to preventing them from running Admin Console is available.
Oh yes, you've got complete control! You're a control-master! Or a f**king asshole if you ask my opinion.
Why don't you take some medication and let your kids have fun instead of putting them in a sandbox? I'm sure they could learn things you don't even know, but because of your "iron fist", they can only play games.
I learned programming at the age of 7 on my own. Would my parents allowed me to do only things they knew about, I probably wouldn't be into computers anymore.
I wish I could put my iron fist in your face.
I've found that the 'stick the gun to the bunny's head' trick always works, 'break the computer and the bunny gets it!'.
Natural-Selection Be
I've seen this before, but never actually done it:
...). I've seen this done before but don't ask me how to do it.
Set up a linux machine as an application server and have the machine basicially do a diskless boot from the linux partition (read only). Then, have a disk on the actual machine that they can write to (save game files, etc
Anyway, that way, you're sure that every time the kid boots the machine, he/she is getting a clean OS and they can save their data to their own disk and not interfere with the other users or the OS.
I've seen a lot of posts saying a lot of things, but none of them has mentioned the ability that XP has to run an app under different credentials, for that single app.
If you right click on the application's shortcut, in the "Advanced..." menu you can check to allow it to run under different credentials. Now, when the kids start up their game, they'll get prompted with a user login screen, or choose to run under their own username. This would require you to log them in as an Administrator or similar, but it'd allow the protection you want, since it'd be just for that game.
-Julius X
remove "-whatkindofspamdoyoutakemefor-" from email to send
I'm not sure if this has been posted or not, but try this (this is how it works in W2K, dunno about XP):
1) Make a copy of the admin account and make the password something easy for the kids to remember.
2) Go into the local security policy, add the account to the "Deny Logon locally" entry under "Local Policies/User Rights"
3) Give the password to your kids and teach them how to do the "right click + run as" thing.
This way, they can run the programs when they need to, but they can't log in using that account and screw up the system.
Often this is caused by copyprotection mechanisms. After "unprotecting" some games (because i don't want to hava cd's always in drive), many games work without special privileges.
Apply local Group Policy to the Administrators Local Group on the machine to prevent them from accessing or changing any system settings you are afraid they may alter. This is done by clicking Start - Run - and typing MMC. Add the Group Policy snap-in and select the Local Machine when prompted. Change all the settings you find necessary.
DO NOT LOG OUT at this point or you will apply these policies to your own account.
Now use explorer to browse to C:\WINDOWS\SYSTEM32\GROUP POLICY. Change the permissions on this folder to Deny Read but allow Write to your personal account. Make sure that Read is still applied to the Administrators Group.
Log out and back in. You have applied Group Policy to everyone that uses the machine except yourself. By bocking Read access to that folder you have made it impossible for the machine to read the policies to apply them to your account.
You will need to grant yourself Full Control before changing these policies in the future. This is the method we used to lock down 2000 machines in an NT4 Domain.
Hope this helps.
It's nothing, just you're carbodyluminocap acting up... just a couple of hours to fix.
Buy them a Playstation, if you want to stop them using the games machine as a computer.
I hate to sound like a jerkass here, but if your kids are old enough to be playing BF1942, then how they not old enough to have your trust not to mess up the computer. If you are overly concerned about them messing up the computer, maybe you need to get a separate computer that only you use.
Good point.
I know the computers at my lcoal YMCA are a mess. A restore on reboot would be a very good thing for them as well.
"Live Free or Die." Don't like it? Then keep out of the USA
I ran into this problem on my girlfriend's PC (my own games PC has 98 on it - I don't want all that Fisher Price style garbage taking up CPU cycles - I ned all the frame rate I can muster!). I created 2 users, both with admin rights. I installed a game she bought ("Harry potter and the strangely boring FP collectathon" or something)under her user id. It won't start. However - here's the wierd bit - log in under any other user id and it works OK - even users created *after* the game was installed on the machine, and even users with no admin rights. Only the admin user that installed the game has problems - which happens to be the user she logs into the machine as.
:)
I also did a google search for the error it generates (sorry can't remember it now) and found that whilst loads of people had seen this issue with XP - none of the threads had definitive answers.
I'll get round to destroying all the user profiles and starting again someday soon, but for now - she's gonna have to stick to Bejewelled
Many newer titles (like Halo PC) run just fine in LUA scenarios. The only exception is of course patching the game, which should be done by the trusted authority (i.e., parent) anyways.
In the future check for and insist that all games you purchase are LUA compliant. Let the publisher know this matters to you.
Remember, change starts with us - the consumer.
Simple: Dont let them play games.
What I do is to have machines set up specifically for games. On these windows gaming consoles everyone is an administrator. I retain a copy of the image of the last good install so that I can go back that to very quickly in the event of 'oops'. If you only have 1 'good PC' and you want to do work on it as well as play? Just dual boot and store your data files on a file server, which can be your old PC with an over-sized harddrive.
You might try giving them access to the registry. Also there are two programs that lets you peek at what a program is doing to the file/registry.
http://www.sysinternals.com/ntw2k/utilities.shtml
BR
If you let them build a computer, you will face two big problems.
A: "Daddy, Daddy the new Athlon Opteron cam out!!! Can we have $600 for it and a new motherboard?" or similarly "Jimmy got a new computer and it is 3.0 ghz. 2.8ghz isnt enough, can we have $700 for a new Intel Extreme 3.2ghz processor?"
B: *SNAP* "Daddy i think i broke the connectors to the hard drive." or whatever valuable part you choose.
So if you have a couple thousand dollars to spend on computer parts, sounds like a good idea.
Mod Wisely.
Just use the run program as another user option and let the game run as administrator.
I unfortunately had a need to test some software I was developing for a client on various XP testbeds. I needed to test for various conditions requiring many reinstalls of XP. I didn't want to be tripping over the activation extortion scheme, so I went out and bought a large second drive. I split this drive into 2 partitions. On the first one I installed Linux. On the second, I installed Windows XP. This partition is disposable and where all of the games would go. I also installed XP on the first drive. Configure the machine to boot off the second drive. I used GRUB and configured the menu options to hide the 1st drive when booting into XP on the second drive. This prevents children from mucking up anything on the first copy of XP. Configure GRUB to show all drives when booting off of XP on the 1st drive. Boot into XP on 1st drive. Run Backup of XP on second drive to a file on the 1st partion. Since no files are open, you get a complete backup. When second XP fails, boot into 1st, delete all files on the second partion and the restore from backup.
If you can't get the machine to boot off the second drive (some poor quality bioses wont allow you to), you will need to reconfigure your drives so that the Linux runs on the first drive.
Quit playing Monopoly with Bill.
Linux - of the people, by the people, and for the people.
Turn on the auditing feature and set it for access failure. Log in to the locked down account and try to run the game. Go into event viewer and look at what resource was denied (use Run As). Then set the priveledges to this resource appropriately. Repeat untill all of the required resources are set and the game runs
Quit playing Monopoly with Bill.
Linux - of the people, by the people, and for the people.
Try a denial of service approach instead of a power enabling approach. Set your kids' account(s) to an administrative role. Then add them also to a "Kids" group. Then for all the Directories/Files that you want to restrict access to, place denial permissions for the "Kids" group. I would assume that you would do this for just about every folder except their account settings folder and the "Games" folder.
One thing I would like to note is that I wish game developers were more concious of the fact that not all players will have administrative rights on their machines and should code it the 'correct' way for multi-user systems. I have done this on two separate projects myself and the process of making the game multi-user friendly is only about 10 (15 max) lines of code during installation and MAYBE an extra 50 lines of code in the actual game itself. That's hardly even half a day's work. In fact the only part of a game that MAY need administrative properties should only be the installer itself (or perhaps a service/daemon oriented server mechanism).
I'm all for laziness... even to the point of vowing upon it as a prime virtue... but that's just rediculous guys.
Please note that we added support for LUA scenarios in the Age of Mythology expansion pack, The Titans. Which isn't a real answer to your original question, but as you might infer from it, we are spending more time and effort on making sure that LUA works on our future titles.
(I was the lead programmer on AOM & AOM:Titans and wrote the relevant LUA code for the game)
-- Rob "Xemu" Fermier
Stop using XP, embrace an operating system that you can actually secure.
at work we had a problem with users not being able to burn cd's due to the fact that they didn't have administrator priviledges. turns out that there is a group policy that you can set for users to let them have full access to the cd drive. you should check into that.
In short, you can tell XP to run certain apps as another user. I'm too lazy to look up directions.
Google it.
J
Install VMware workstation 4. The only disadvantage is the $299 price tag.
EXCEPT that the primary apps he runs... i.e. video GAMES break the MS security model...forcing him to give too much access to his "users" allowing them to run the game, but also to get spyware, ... get it!
It's not about controlling users, it's about the computer running properly. Part of a computer running properly is preventing the user from screwing it up if at all possible! Again, what happens when the kids are playing online when the next "Blaster" comes thru wiping out admin boxes because something is open and tries to crash the internet? This guy is trying to do EXACTLY what all the MS experts are telling him to do and it DOESN'T WORK!!!! it should work, there's no excuse that you have to give ANYBODY admin rights just to run a program...or that a HOME USER should have to worry about complicated privillages simply to run retail boxed software...that is a fundimental designed security hole in the OS!
I only mention this because I've had a lot of problems at work as a result of our server setup guy subscribing to this philosophy. Sure, a 6GB windows partition and a 40 GB data partition for programs sounds nice, but when C fills up you're hosed.
Frankly, it's not just games that require administrator access - almost any type of software has this problem. The last time I tried Open Office I could not use it for this very reason. My students had limited accounts and Open Office requires admin rights to run.
Try using Mac OS X or Linux. Someone said above that that is not really helpful - but I think it is - you can't fix broken Windows and you won't have these problems in OS X. The OS X setup for limited users is a dream - and I've yet to run into any problems with programs not running if you (as admin) have specified they are allowed to run.
Not to mention the lack of Direct X/3D on OS X. Basing the games on OpenGL means they work and no crashes. My gaming selection is smaller on the Mac - but my gaming experience on the Mac is way better than it is on my PC.
Have you tried setting up a user group for the kids and only allow them access to the files needed, aswell as read/write access to the registry? Seems to work for my non admin account for battlefield and asherons call
www.deepfreezeusa.com offers a program which installs itself at bootup and will intercept hd write calls and direct them in the free hd space behind the actual data. What this does is that the computer boots into the very state the computer was at when you installed deepfreeze.
...
That means you can even FORMAT THE HARDDRIVE and reboot it without any data loss. Of cause you can submit the hd changes to the harddrive if you know the right password, this way you can install new games. Its also possible to exclude certain directories so that games can save their config files or autoupdates ( Valve's steam comes to mind ).
We use it successfully in several schools around the area, and it stopped the need for reinstalls alltogether. No nudity background pictures, no filesharing tools, no spyware, no stupid bookmarks
I've used the demo of this program and works like a charm.
Heres a snippet from the webpage
My Kids are always messing up my computer - How do I purchase Deep Freeze for home use and what should I know?
Purchase the Deep freeze Home Edition
You must be aware that that absolutely nothing can be saved to or deleted from a Deep Freeze enabled system. If Deep Freeze is enabled and you save any document, it will simply not be there the next time the system is re-started. There is no way to "recover" saved work, so please make sure that you disable Deep Freeze during a session when you want to makes changes.
There is also no way to recover your Deep Freeze Password, so please ensure that you do not forget or lose it.
If you have more that one partition or fixed drive you can save your data by leaving one or more of them unfrozen. During installation, Deep Freeze will automatically detect that you have more than one fixed drive or partition, and will ask you if you which ones other than C: that you want to "freeze."
Our Deep Freeze Home Edition is identical to Deep Freeze Standard and it operates just like our 60 Day Evaluation Version. Deep Freeze Professional is designed for large deployments and is not available in a home version.
Candle burns its brightest in the dark
Take a look at this page. The use of the "cacls" command given near the bottom of the page works for me. I run that command when a specific game fails, and it generally does the trick.
I mod down all the "free iPod"-sig losers.