Windows Confidential: Hiding in plain sight
Certain policies do precisely what they say they’ll do, no more and no less. Setting up a policy and hoping it does something else sets you up for failure.
The policy to hide drives in My Computer is merely a policy to hide drives in the My Computer folder. It’s not intended to block all access to the drive from anywhere. Since Windows 95, there has been a policy to hide drives in the My Computer folder in Windows Explorer. Perhaps not surprisingly, it’s called “Hide these specified drives in My Computer.”
Despite the name of the policy stating that it hides drives in My Computer, many think this policy does more than it says. Some think it can prevent access to anything on the drive by any UI provided by Windows Explorer or any other Windows component. Others think it prevents access to anything on the drive by any means whatsoever.
Let me reiterate: This policy hides the drives from My Computer. This includes viewing My Computer via Windows Explorer, or viewing My Computer via a File Open dialog box. That’s it.
One customer set this policy intending to block access to the C: drive, then realized users could still get to that drive. The users simply right-clicked a shortcut to a program on the C: drive, viewed its Properties, then clicked the Open File Location button to view the folder containing the shortcut target, even if the shortcut target resided on the C: drive. Then they could use Windows Explorer to navigate up the directory tree to reach the root of the C: drive because the policy doesn’t try to block in that case.
What the policy does prevent is users opening My Computer and clicking on the C: drive. If they can find some other way to get to the root of the C: drive, then more power to them. The policy isn’t a bypass of the Group Policy to hide the drive in My Computer. The policy did exactly what it said it would: It hid the drive in My Computer. There was no bypass where the user found some magical way of getting the C: drive to show up in My Computer. The magical bypass was in the administrator’s imagination of what the policy could actually do.
This policy is intended to make it less likely that users will explore into a drive that you’d rather have them not wandering into. Perhaps you use this drive for backups or some other administrative function that shouldn’t involve your users. If you really want to block access to the drive by any means, you need to use the proper security mechanisms. Set the access control list (ACL) on the drive or subdirectory to allow access only by those to whom you want to grant access.
During Windows XP development, we received a request from a customer to expand the scope of the “Hide these specified drives in My Computer” policy to cover other types of access to the drives. We tried it for a while, but it wasn’t long before we got a bug report from another corporate customer. He was specifically relying on the fact that the scope of the policy is very narrow. His company removed the C: drive from My Computer, but still wanted the drive accessible by other means because they put the user profile on the C: drive. You obviously want users to be able to access their own profiles.
Indeed, if Windows Explorer truly blocked access to the C: drive, the user wouldn’t be able to do anything, because the C: drive is where all the Windows OS files hang out. Asking for the scope of the “Hide these specified drives in My Computer” to be expanded to cover all access to the drive would cause a user to not be able to access the computer at all.
If that’s the ultimate goal, there’s a much easier way to accomplish that task: Simply take away their computers.
Raymond Chen’s Web site, The Old New Thing, and identically titled book (Addison-Wesley, 2007) deal with Windows history, Win32 programming and migratory mailboxes.