Now, from the computer Maggie, you double-click My Network Places, then double-click the Homer icon to access Homer's shared files. Homer's root shared directory appears, and it contains the folder My Stuff. When you open My Stuff from Maggie, you see Private Things. You double-click Private Things from the root directory and get an Access Denied message, as you'd expect.
If you open My Stuff, you'll see Private Things again. However, if you double-click Private Things from inside My Stuff, Private Things opens and lets you access everything in it. This behavior is definitely not what you'd expect. Whenever you explicitly set permissions for a folder, that folder's icon appears directly in the root shared directory. But if that folder is inside a shared folder, the subfolder's icon also appears inside the shared folder. I like to call each appearance of an icon a "ghost." A folder can have many ghosts. If folder A is inside folder B, which is inside folder C, which is inside folder D, and you allow or deny permissions specifically to each folder, then folder A will have four ghosts. And those ghosts can behave differently from folder A when you access it directly from the root directory.
In our example, Private Things has two ghosts—one in the root shared directory and another within the folder My Stuff. Under Win2K Pro's default inheritance, these two ghosts behave quite differently. The ghost that appears in the root directory doesn't share itself, but the ghost that appears inside the shared folder My Stuff does share itself. Under the default inheritance settings, all ghosts that appear inside a shared folder share that folder's permissions settings. So, the ghost of Private Things in the root shared directory follows the directions we gave Private Things—to deny access. But the ghost of Private Things that appears in My Stuff follows the directions we gave to My Stuff and shares itself.
If your Win2K Pro machine uses NTFS, you can change this behavior. Right-click Private Things, select Properties from the menu, and click the Security tab. You'll see that the Allow inheritable permissions from parent to propagate to this object check box at the bottom of the window is selected, as Screen 1 shows. When the check box is selected, the ghost of Private Things that appears inside My Stuff has the same permissions that My Stuff has. If you click the check box to clear it, a Security dialog box pops up. Click the Remove button to disable inheritance for the Private Things folder and keep it private.
If your computer uses a FAT32 disk, the Security tab doesn't exist. Consequently, you can't change the rules of inheritance, and you can't prevent Private Stuff from inheriting My Stuff's permissions settings. In this case, you're stuck with having one shared version of Private Stuff and one unshared version. If you don't want to share Private Stuff, you must move the folder out of the My Stuff folder. With FAT32, if you don't want to share a folder, you must make sure the folder doesn't reside inside another folder that you do share.
You can set different permissions for individual users. Let's say I have an accounting program that I want my wife Maggie, but not my son Bart, to be able to access. From the Permissions window, you can highlight users individually and modify their permissions. I bring up the Sharing menu for the relevant folder and click the Permissions button. By default, permissions are set to apply to Everyone. I select Everyone and click Remove, as Screen 2 shows, then I click Add to bring up the Select Users, Computers, or Groups window. I click Maggie, then click Add and give Maggie the permissions I want her to have. As long as you create the same usernames and passwords on each computer, as we described earlier in "Setup Basics," you can use the Permissions dialog box to allow each user the proper access no matter what computer the user is logged on to.
Internet Connection Sharing
ICS lets networked computers share a single Internet connection. The Internet connection can be a Digital Subscriber Line (DSL), cable modem, or dial-up connection. With ICS, Maggie can trade stocks and pay bills online while Homer checks his email and Bart hits the chat boards, all through an Internet connection on just one of the networked computers. (You can think of ICS as basically a miniature version of Proxy Server that comes with Win2K Pro.)
A networked computer that has an Internet connection serves as the Internet gateway. To make a computer a gateway, open the computer's Network and Dial-Up Connections applet and right-click the icon for the Internet connection that you want to share. Select Properties from the pop-up menu. On the Sharing tab, select the Enable Internet connection sharing for this connection check box.
To let your other networked computers use the Internet gateway, you need to configure them as clients to the gateway computer. To make a Win2K Pro computer a client, open the client's Network and Dial-Up Connections applet. Right-click the network connection that the client computer uses to access the gateway computer, and select Properties. Under the Components checked are used by this connection heading, click Internet Protocol (TCP/IP). Click Properties, and select the Obtain an IP address automatically check box. (Note that if you want to set static IP addresses, you need to know that ICS requires you to set clients to a certain range of IP addresses. For details about this requirement, see the Win2K Pro Help file.)
Then, you need to configure the computer's Web browser. We'll configure Microsoft Internet Explorer (IE) as an example. On IE's Tools menu, select Internet Options. Click the Connections tab, select the Never dial a connection button, and click LAN Settings. Under the Automatic configuration heading, clear the Automatically detect settings and Use automatic configuration script check boxes. Under the Proxy server heading, clear the Use a proxy server check box.
You can even enable on-demand dialing on your peer-to-peer network. On-demand dialing lets a client computer connect to the Internet even if the gateway computer isn't connected. For example, if you enable on-demand dialing on your gateway computer Bart, someone working on Maggie can double-click the Netscape Navigator icon, and Bart will automatically dial out and provide an Internet connection over the local network to Maggie. Bart must be on but can be unattended. To enable on-demand dialing, open the Network and Dial-Up Connections applet on the gateway computer. Right-click the LAN connection, select Properties, and select the Enable on-demand dialing check box.
A Word to the Wise: Security, Firewalls, and More
If you use an always-on connection, such as DSL or a cable modem, we advise you to implement some sort of firewall system. Firewalls offer protection against intruders. Because your network is vulnerable to intrusions whenever it's connected to the Internet, you are most in need of protection if you're always connected. If all of your computers are networked and always connected and if you have no firewall, an intruder could easily penetrate your network and manipulate files in any connected computer.
Software-based home-network firewalls include WinGate Home 3.0 (http://wingate.deerfield.com—$39.95 for a three-user license), Sybergen SyGate for Home Office 3.11 (http://www.sybergen.com/products/ gate_ov.htm—$39.95 for a three-user license), and Network ICE's BlackICE Defender (http://www.networkice.com—$39.95). WinGate Home and Sybergen SyGate for Home Office are ICS products that include a firewall. BlackICE Defender is a firewall-only product and seems to garner the best reviews in the software-only class. These products seal off your network, alert you to intrusions, and perform other security basics. The vendors designed these products for SOHO use, and the products are relatively easy to use. Sybergen SyGate for Home Office and WinGate Home are fully functional on Win2K Pro. A Win2K version of BlackICE Defender is under development.
Another firewall option is to purchase a dedicated piece of equipment, such as WatchGuard Technologies' WatchGuard SOHO (http://www.watchguard.com/products/soho.html) or the SonicWALL SOHO 10 (http://www.sonicsys.com). These machines, which sit between your computer and the line out, offer plenty of security at a relatively high cost—$275 and up.
If you have DSL, check with your ISP before purchasing a firewall product. The ISP's DSL router might have built-in firewall capabilities.
Looking Ahead
Hardly a day goes by without a company announcing a new product line aimed at the SOHO market. We expect new products to continue to appear. Initially, most will be aimed at Win9x, but many will be Win2K Pro-compatible, and eventually the marketplace will shift toward Win2K Pro. You don't need to wait, though; Win2K Pro offers all the capabilities you need today.