2 Private networks to share one broadband connection

I want to have a parents' network and a children's network at home which are
conpletely invisible to each other.

I have XP pro on the two machines I want on one network and XP home on the
other two networked machines. Can I do this with one router and controlled
permissions?
--
self built
MSI Radeon chipset m/b w. 512mb
Athlon 64 3000+
Leadtek PVR2000 analog tuner
WMCE 2005

In news:E65F06C4-C26C-45DA-83A1-4E1C4A45EA1A@microsoft.com,
phillipo <phillipo@discussions.microsoft.com> had this to say:

My reply is at the bottom of your sent message:

> I want to have a parents' network and a children's network at home
> which are conpletely invisible to each other.
>
> I have XP pro on the two machines I want on one network and XP home
> on the other two networked machines. Can I do this with one router
> and controlled permissions?

Yes.

Galen

Okay, I was going to leave it as that. I figure I'll give you a bigger hint
than that though. On the Pro boxes disable simple file sharing, then set the
permissions for it. Establish a group, say adults, and allow them access to
the shared files. Disallow the kids group access. To disable simple file
sharing open Windows Explorer, click tools, options, view, scroll way down
to the bottom, disable simple file sharing should be ticked by default -
untick it.

Galen
--

"And that recommendation, with the exaggerated estimate of my ability
with which he prefaced it, was, if you will believe me, Watson, the
very first thing which ever made me feel that a profession might be
made out of what had up to that time been the merest hobby."

Sherlock Holmes

In article <E65F06C4-C26C-45DA-83A1-4E1C4A45EA1A@microsoft.com>,
"phillipo" <phillipo@discussions.microsoft.com> wrote:
>I want to have a parents' network and a children's network at home which are
>conpletely invisible to each other.
>
>I have XP pro on the two machines I want on one network and XP home on the
>other two networked machines. Can I do this with one router and controlled
>permissions?

No. Permissions can't make a machine invisible. At best, they can
make a machine visible but inaccessible. But XP Home doesn't support
permissions for network shares -- only XP Pro does.

For complete isolation and invisibility between the networks, get two
more routers (they're inexpensive) and connect the Internet (WAN) port
of each new router to a LAN port of the old router. Connect the kids
to one new router, and connect the parents to the other new router.

Make sure that the new routers use a different TCP/IP subnet than the
old one for their local area network addresses. For example, if the
old router uses 192.168.1.x, use 192.168.0.x on the new ones.

I use exactly that setup at home. The main network is for my
computers and my wife's computer. The second network is for clients'
computers that I'm working on, which might be infected with viruses
and spyware and can't be trusted to connect to the main network.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

Hi

As mentioned above, Network Segregation is the solution and it can be achieved with an
additional Router (less than $20).

The order of the Networks Installation can make a difference too.

Install the less secure Network (I.e. the kids) directly to the Internet Modem.

The Network that needs to be more secure goes second. Doing so will add protection to
the more important network (Double NAT) and will allow you to configure local access to
the Kids Network but will block access from the first Network to the second.

Network Segregation - http://www.ezlan.net/shield.html

Jack (MVP-Networking).





"phillipo" <phillipo@discussions.microsoft.com> wrote in message
news:E65F06C4-C26C-45DA-83A1-4E1C4A45EA1A@microsoft.com...
> I want to have a parents' network and a children's network at home which are
> conpletely invisible to each other.
>
> I have XP pro on the two machines I want on one network and XP home on the
> other two networked machines. Can I do this with one router and controlled
> permissions?
> --
> self built
> MSI Radeon chipset m/b w. 512mb
> Athlon 64 3000+
> Leadtek PVR2000 analog tuner
> WMCE 2005

Thanks a lot for replies.

Can I avoid having three routers by daisy chaining? I don't need either
network to be able to see the other. It's two networks simply sharing one
ADSL connection.

In article <A01DB441-9F6B-45A0-8477-F26CE3A41215@microsoft.com>,
"phillipo" <phillipo@discussions.microsoft.com> wrote:
>>>I want to have a parents' network and a children's network at home which are
>>>conpletely invisible to each other.
>>>
>>>I have XP pro on the two machines I want on one network and XP home on the
>>>other two networked machines. Can I do this with one router and controlled
>>>permissions?
>>
>>No. Permissions can't make a machine invisible. At best, they can
>>make a machine visible but inaccessible. But XP Home doesn't support
>>permissions for network shares -- only XP Pro does.
>>
>>For complete isolation and invisibility between the networks, get two
>>more routers (they're inexpensive) and connect the Internet (WAN) port
>>of each new router to a LAN port of the old router. Connect the kids
>>to one new router, and connect the parents to the other new router.
>>
>>Make sure that the new routers use a different TCP/IP subnet than the
>>old one for their local area network addresses. For example, if the
>>old router uses 192.168.1.x, use 192.168.0.x on the new ones.
>>
>>I use exactly that setup at home. The main network is for my
>>computers and my wife's computer. The second network is for clients'
>>computers that I'm working on, which might be infected with viruses
>>and spyware and can't be trusted to connect to the main network.
>
>Thanks a lot for replies.
>
>Can I avoid having three routers by daisy chaining? I don't need either
>network to be able to see the other. It's two networks simply sharing one
>ADSL connection.

Making two networks completely invisible to each other requires three
routers.

If you daisy chain two routers (ADSL -> Router #1 -> Router #2),
computers on Router #2 will be able to access computers on Router #1
(but not vice versa).
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

Thanks - only half a solution then.... Actually I think I'm Ok with the
networks being visible but inaccessible.

The problem is that the 'kids' network is on XP home edition. Can it be done
with 'Home' ?

"Steve Winograd [MVP]" wrote:

> In article <A01DB441-9F6B-45A0-8477-F26CE3A41215@microsoft.com>,
> "phillipo" <phillipo@discussions.microsoft.com> wrote:
> >>>I want to have a parents' network and a children's network at home which are
> >>>conpletely invisible to each other.
> >>>
> >>>I have XP pro on the two machines I want on one network and XP home on the
> >>>other two networked machines. Can I do this with one router and controlled
> >>>permissions?
> >>
> >>No. Permissions can't make a machine invisible. At best, they can
> >>make a machine visible but inaccessible. But XP Home doesn't support
> >>permissions for network shares -- only XP Pro does.
> >>
> >>For complete isolation and invisibility between the networks, get two
> >>more routers (they're inexpensive) and connect the Internet (WAN) port
> >>of each new router to a LAN port of the old router. Connect the kids
> >>to one new router, and connect the parents to the other new router.
> >>
> >>Make sure that the new routers use a different TCP/IP subnet than the
> >>old one for their local area network addresses. For example, if the
> >>old router uses 192.168.1.x, use 192.168.0.x on the new ones.
> >>
> >>I use exactly that setup at home. The main network is for my
> >>computers and my wife's computer. The second network is for clients'
> >>computers that I'm working on, which might be infected with viruses
> >>and spyware and can't be trusted to connect to the main network.
> >
> >Thanks a lot for replies.
> >
> >Can I avoid having three routers by daisy chaining? I don't need either
> >network to be able to see the other. It's two networks simply sharing one
> >ADSL connection.
>
> Making two networks completely invisible to each other requires three
> routers.
>
> If you daisy chain two routers (ADSL -> Router #1 -> Router #2),
> computers on Router #2 will be able to access computers on Router #1
> (but not vice versa).
> --
> Best Wishes,
> Steve Winograd, MS-MVP (Windows Networking)

In article <9E4526B5-DD81-483E-9F2E-3F930DB762EA@microsoft.com>,
"phillipo" <phillipo@discussions.microsoft.com> wrote:
>>>>>I want to have a parents' network and a children's network at home which are
>>>>>conpletely invisible to each other.
>>>>>
>>>>>I have XP pro on the two machines I want on one network and XP home on the
>>>>>other two networked machines. Can I do this with one router and controlled
>>>>>permissions?
>>>>
>>>>No. Permissions can't make a machine invisible. At best, they can
>>>>make a machine visible but inaccessible. But XP Home doesn't support
>>>>permissions for network shares -- only XP Pro does.
>>>>
>>>>For complete isolation and invisibility between the networks, get two
>>>>more routers (they're inexpensive) and connect the Internet (WAN) port
>>>>of each new router to a LAN port of the old router. Connect the kids
>>>>to one new router, and connect the parents to the other new router.
>>>>
>>>>Make sure that the new routers use a different TCP/IP subnet than the
>>>>old one for their local area network addresses. For example, if the
>>>>old router uses 192.168.1.x, use 192.168.0.x on the new ones.
>>>>
>>>>I use exactly that setup at home. The main network is for my
>>>>computers and my wife's computer. The second network is for clients'
>>>>computers that I'm working on, which might be infected with viruses
>>>>and spyware and can't be trusted to connect to the main network.
>>>
>>>Thanks a lot for replies.
>>>
>>>Can I avoid having three routers by daisy chaining? I don't need either
>>>network to be able to see the other. It's two networks simply sharing one
>>>ADSL connection.
>>
>>Making two networks completely invisible to each other requires three
>>routers.
>>
>>If you daisy chain two routers (ADSL -> Router #1 -> Router #2),
>>computers on Router #2 will be able to access computers on Router #1
>>(but not vice versa).
>
>Thanks - only half a solution then.... Actually I think I'm Ok with the
>networks being visible but inaccessible.

Here are steps that you can take on the XP Pro machines to make them
visible but inaccessible to XP Home with one or two routers:

1. Un-share all shared disks and folders.
2. Disable simple file sharing.
3. Re-share all shared disks and folders.
4. Create matching user accounts on the XP Pro machines -- same user
name and password.
5. Don't set up those accounts on XP Home.

>The problem is that the 'kids' network is on XP home edition. Can it be done
>with 'Home' ?

XP Home grants networked access to all users and doesn't support
disabling simple file sharing.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

> XP Home grants networked access to all users and doesn't support
> disabling simple file sharing.
> --
So, finally, the Home machines cannot be made inaccessible from the Pro
machines if on the same router? You can't create a different workgroup which
is private - the Pro machines will be able to read the Home machines
files.... right?

In article <BB6FEF43-270C-456B-9611-7BC4B5650F8C@microsoft.com>,
"phillipo" <phillipo@discussions.microsoft.com> wrote:
> > XP Home grants networked access to all users and doesn't support
>> disabling simple file sharing.
>
>So, finally, the Home machines cannot be made inaccessible from the Pro
>machines if on the same router? You can't create a different workgroup which
>is private - the Pro machines will be able to read the Home machines
>files.... right?

Workgroups don't provide any type of security or access control. A
computer in any workgroup can access a computer in any other
workgroup. Workgroups serve no useful purpose in Windows XP.

XP Home grants networked access to all users on all computers on the
physical network. The only supported security measures are:

1. Create a network password for the Guest account. Anyone who wants
to access the XP Home computer will have to enter that password. To
create a network password for the Guest account:

a. Click Start | Run.
b. Type "control userpasswords2" in the box and click OK:
c. Click Guest.
d. Click Reset Password.
e. Enter a new password.

2. Hide a shared disk or folder by putting a dollar sign at the end of
its share name (e.g. DATA$). A hidden share doesn't appear in My
Network Places on any computer. Only someone who knows the name of
the hidden share can access it.

Broadband routers are commonly available for less than $30 (after
rebates) at computer and office supply stores in the US. Unless you
really enjoy the technical challenges of other setups, I recommend
going with the 3-router setup (or the 2-router setup that can protect
one group of computers from access by the other group) and being done
with this.

There are some security measures available for XP Home that aren't
documented, tested, or supported by Microsoft. I haven't tried them
don't know if they're safe or if they work, and can't answer questions
about them. If you're interested in trying them, at your own risk,
search this news group for information on:

1. Disabling simple file sharing and setting share permissions in Safe
mode.

2. Using the "cacls" command to set share permissions.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

I'm very grateful for your very knowledgable advice.
Right on the money!

All the best
Phil
London UK

In article <4790AA4A-5384-4196-A9C6-FCCD020246CF@microsoft.com>,
"phillipo" <phillipo@discussions.microsoft.com> wrote:
>I'm very grateful for your very knowledgable advice.
>Right on the money!
>
>All the best
>Phil
>London UK

You're welcome. Does that mean that you've come up with a solution?
If so, please post another news group message and tell us what it is.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com