Folder Access - SiteKiosk Help

The following settings apply to the access rights the limited Windows user account "SiteKiosk" will have to the file system.

Note regarding network volumes:
You cannot use the Security Manager to prevent users from accessing any network volumes you may be using.

1. Explanations concerning the default values

1.1 User's read/write access
The default values provide the highest possible level of security. Users will be able to access the folder "My Documents" of the account "SiteKiosk" only for viewing, saving, or deleting files.

Note:
Please remember that there will be a folder called "My Documents" for each individual user. Thus, try and make sure not to grant any access rights to the "My Documents" folders of other users (administrators).

1.2 Running applications
The folders "Windows" and "Program Files" and their equivalents possess read and execution rights. However, they do not have any write access. This ensures that your users will be able to run most of all (necessary) applications.

If you want to make additional applications stored in other folders available to your users, you will have to adjust the access rights accordingly (read & execute).

Click on Programs for more information about the option to make programs available to the user.

1.3 Config folder within SiteKiosk's installation folder
For security reasons, you should save the .skcfg files you created with the help of the SiteKiosk configuration tool to the subfolder "Config", which is located in SiteKiosk's installation directory. In doing so, you ensure that users will not be able to gain access to the XML configuration as folder access is explicitly disallowed for the Windows user account SiteKiosk.

2. Explanations on the symbols used in tree view (legend)

Right-clicking a folder will open a context menu which will allow you to adjust the access rights to this folder. All the subfolders of this folder will then inherit the rights you just defined.

2.1 Read Only

Access to folders bearing this symbol is read only, i.e. users will only be allowed to view the content of the folder. This means that users will be unable to save or execute files.

2.2 Read & execute

Access to folders bearing this symbol is read/execute, i.e. users will be allowed to view as well as execute files stored in this folder. This kind of access right is required, for example, to access the folders "Windows" and "Program Files."

2.3 No Access

The user account SiteKiosk will have no access rights at all to any folders labeled with this symbol.

2.4 Read & write

Access to folders bearing this symbol is read/write, i.e. users will be allowed to both open and save files. Executing programs will, however, not be possible. You should definitely assign this kind of access right to the folder to which you want your users to be able to save files. You will usually want to assign this right to the folder "My Documents" of the SiteKiosk user account.
Users will then also be able to delete all files previously saved to this folder.

2.5 Full access

For security reasons, you should refrain from assigning this kind of access right altogether. This is because users would otherwise be able to download and execute (potentially harmful) programs from the Internet (provided you permitted Downloads). While this type of access will be restricted due to the limited rights of the SiteKiosk user, a residual risk will always remain.

2.6 User-defined

This option lets you assign the access rights of your choice to each individual folder.

The option "Specify no access rights" refers to the access rights Windows predefined for this user account.

2.7 Folder name printed in green (no inheritance)
Folders marked in green should not be edited in most cases. Usually these folders are system or application folders that have received a special set of rights from Windows to assure proper system usability.
The System Security Manager can only try to apply its own set of rights, but in most cases they will not be effective. Should this be the case, you need to use the Windows rights management to prepare the folder for changes to its set of rights, e.g. by taking ownership of the folder. Do such changes with extreme caution.

2.8 Folder name printed in blue (defined rights)
Whenever you use the Security Manager to apply the default settings or explicitly define access rights to a specific folder, the folder's name will be written in blue.
The use of different colors will help you to notice at a glance which changes to the access rights have been applied by the Security Manager.