Disable access to TCP/IP and DNS Network Settings on Windows 7

here's my question: i have a desktop pc Windows 7 powered with two accounts with administrative rights. One of those is used by my brother.

I study abroad so i need to be able to connect to my "home" desktop by VNC protocol to do assistance to my parents or technical service. So i set some DNS and IP configs. Now i'd like to prevent to the other account the network settings editing. I tried with the Group Policies Editor but i didn't succeed. With the other account i still can change DNS and TCP/Ip settings. How can i solve that?

Here's a pic of my Reg Policies Keys:

Thanks in advance for your help

DiTTiD

Posted 2012-09-20T15:58:02.220

Reputation: 388

Why not remove the admin rights for that account? – Dave M – 2012-09-20T16:24:44.013

Because i want the other account to be able to install games or apps... There's a way to specify which rights to be prohibited? – DiTTiD – 2012-09-20T16:31:20.917

In all seriousness... can you just ask your brother not to mess with those settings? – JoshP – 2012-09-20T17:21:25.040

Already done. But anyway is there no way to do what i'm asking? :D – DiTTiD – 2012-09-20T17:25:39.403

Answers

You could go a different route with a kind of "unmanaged" solution. That is, try TeamViewer or GoToMyPC, or something like that.

I have used TeamViewer to be able to have unattended access to a remote computer. That is, by default, many of these remote access softwares require someone to be on the other end to "Allow" you to take control of the computer (a good default). They may all allow for the unattended access, but I only have personal experience with TV.

Anyway, the whole point here is that there is no IP or DNS configuration to make it work, and it runs as a service so it'll be there after a restart or during a logout.

Lastly, it's free for personal use.

_{I sound like I'm selling this stuff lol. I'm not. It's free, and I use it on a regular basis. It's just quite useful :)}

JoshP

Posted 2012-09-20T15:58:02.220

Reputation: 2 236

Thanks for you answer... i already knew TV and practically is something similar to reverse VNC connection to a listening viewer. If i can't succeed in avoiding network configuration settings editing i will consider this solution. Thanks...

Anyway it seems very unbelievable that there's no way to do what i'm asking. Probably i will have to decrease rights level of the account hoping there's still a way for a non-administrative account to install softwares... – DiTTiD – 2012-09-21T09:59:33.200

Your problem is not technical, but a people problem. You do not have physical access to the machine, and others do. If you can't trust them to do the right thing, they might re-install the OS on the machine for all you know.

Perhaps they were having a problem, and called the ISP for help, and they suggested that change.

Tell your brother and parents to not change the IP settings if they want you to have access. When your parents need help, if you can't do it, tell them someone with admin access must have disabled your ability to help (be nice about it.)

If you have other reasons to access the computer as well (need files or whatever,) explain your need and what they can do to fix it. If the files are of a nature that you'd rather your family don't see, well, I can't help you there ;-)

Jon Watte

Posted 2012-09-20T15:58:02.220

Reputation: 575

I see your point and i agree with your suggestions. My point was just to avoid to explain how to newly set IP configurations to tech-outsiders by phone. Or, differently, how to set a reverse VNC connection. ;) – DiTTiD – 2012-09-20T17:00:01.713

I am not familiar with this policy, so I dont know the answer off the top of my head. But, in my opinion, you probably shouldnt do this. What if the network settings get changed by malware, or corruption, or even by you (accidentally)? There would be no way for you to remote in and fix it, nor would anyone locally be able to correct it either. Limiting local administrative rights, just isnt a good idea.

Keltari

Posted 2012-09-20T15:58:02.220

Reputation: 57 019

Ok... but i also need to prevent from editing because even in this case i won't be able to connect to my desktop. So what could i do? Just hiding it maybe... Is there a way to hide network properties? – DiTTiD – 2012-09-20T16:16:19.707

1Why do you want to do this? Has someone broke the network settings before? It seems to me you are trying to be overly cautious. – Keltari – 2012-09-20T16:18:34.533

Ya it happened just today, from manual configured IP settings someone changed in "Automatically get IP settings etc..." letting to the router the IP distribution organisation and preventing me from connecting directly. And i have a ISP-restricted router so i can't set automatic static IP assignment from it. – DiTTiD – 2012-09-20T16:30:51.353

Remove the admin status from the other account. There is nothing else you could do to prevent an admin from reclaiming the permissions you're trying to revoke. If you can't (or won't) revoke the account's admin status, then don't bother trying to restrict the account. The attempt is futile.

Ansgar Wiechers

Posted 2012-09-20T15:58:02.220

Reputation: 4 860

Thanks for your answer... I think i will do what you suggest. Is there however a way to allow to a simple user account to install software? – DiTTiD – 2012-09-21T10:01:26.643

Not really. And it's not sensible, too. "Installing software" can mean a great many things, including changing system settings (virtually every installation will require write access to the HKLM hive of the registry), creating system services, or installing installing drivers. Where would you draw the line? Even if you were able to restrict that person to creating new files/folders in %ProgramFiles% and new registry keys/values in HKLM, that would still affect all other users on the system, so you shouldn't grant these rights to someone you don't trust. – Ansgar Wiechers – 2012-09-21T11:39:20.823

The fact is not "trusting". The fact is avoiding noob actions. Anyway i will do as you suggested. Thanks everyone. – DiTTiD – 2012-09-21T13:55:26.377