-1

Is there a way to create a Windows 10 user account that has no write access outside of its own user profile?

I created a firefox account to run Firefox in a seperate account.

I put it only in the Guests group, but firefox still can write to drive D: (I guess via Authenticated Users rights)

weberjn
  • 99
  • 2

1 Answers1

0

This is not how the user is created but how you set up the NTFS permissions. You could

  • replace the permissions for Authenticated Users with a more restrictive group or
  • simply add deny permissions for the single Firefox user, because a deny always overrides any allow.

Realize that this may cause other problems like you won't be able to save files from the internet to locations where this user doesn't have access. It also isn't a suitable practice for business environments. The idea from the linked question was never advertised as a best practice while the exact question HOW was answered.

Also notice that the question is from 2014. Since, Firefox has decided to bring sandboxing back, increasing security with a better Process model.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • I'd like to not have to change access control lists on several drives and ten thousands of files, rather I'd change the user rights of the firefox user, so it cannot write access anything outside of its profile folder. As to Firefox sandboxing, this might work for Firefox, but the restricted user model would work for other software like Thunderbird, too. Also, I find Windows Security more trustworthy than that of individual software packages. Als for sharing files, the download folder of the Firefox profile is made accessable by my own user. – weberjn May 28 '17 at 08:21
  • There's no such setting. Anyway, if all _Authenticated Users_ has write access to everything, you do have a wider problem in your NTFS permissions that should be fixed. (Or if this is a standalone personal home computer, this is not the correct site for this question.) – Esa Jokinen May 28 '17 at 08:39