|You are correct, sir! Basically, WFW is just what it implies...it's a Windows Workstation designed to function within a single Workgroup on a Domain. There's nothing locally on the PC that's going to prevent anyone from getting to anything on that particular machine...as the entire thing is a single user workstation that just sits atop of DOS and there's little you can do to prevent the user from getting to DOS and perusing the entire hard drive at will. You can try BIOS passwords that stop the user from getting to DOS during bootup...that just takes a simple battery pull to negotiate (sad, but true). You can put in security programs to load with autoexec.bat...so they're taken to some kind of a login...a simple CTRL-C will end that endeavor. There's other creative solutions you can try, all with a workaround. In essence, a PC with DOS/WFW installed had best not contain anything you don't want anyone to see...because it's incredibly easy to get to. As for the network resources they have access to - things are much more promising there.|
For your purposes, I'd set up some sort of an NT server...pick any of your more robust machines and it should be able to do the job. Or, with a router, set them all up with the same workgroup and designate one machine as the secure repository and create shares on that machine opening up just what should be publically available. Then the WFW user would get to Windows and then go to their File Manager to try and get elsewhere. At that point, when they select the network resource, the external resource would handle the authentication and priviledges and restrict their access to things you want secured. Just make sure your server isn't accessible by the same person as they'd just need to switch chairs to get at the very data you just tried to lock them out of! :)
The path to Hell begins with Microsoft.