Windows XP Professional offers powerful new network capabilities and enhancements, many of which help make home and remote-user networking easier and more robust. Although some features such as Internet Connection Sharing (ICS), Internet Connection Firewall (ICF), and Network Bridging cause much hand wringing and jaw clenching among network administrators, these features offer workable solutions for users at home and on the road. With an understanding of the specific capabilities of these features, when you should apply them, and how you can control them, you can enhance the connectivity and security of your users' portable systems without sacrificing your corporate network's integrity.
Alternate Configuration Settings
Before you design an elaborate solution to satisfy the networking needs of nomadic users, take a look at XP Pro's Alternate Configuration networking capabilities. The Alternate Configuration settings provide a simple, yet effective, solution for systems used in two network environments, such as a laptop that does double duty at the office and on the road or at home. As an administrator, you can configure these settings to meet the user's connection requirements so that the user doesn't need to know the difference between a subnet mask and a Batman mask.
The Alternate Configuration settings let XP dynamically switch between a dynamic IP address configuration and a static IP address configuration. The settings that you specify take effect when the computer doesn't receive a response from a DHCP server on the network to which the system is attached. For example, when a user attaches a laptop to the corporate network, the system identifies a DHCP server and maintains settings appropriate for that environment. When the user takes the laptop home, the lack of a DHCP server triggers the system to use the Alternate Configuration settings. The default Alternate Configuration settings are to assign an address from the Automatic Private IP Addressing (APIPA) range (i.e., 169.254.x .y with a subnet mask of 255.255.0.0), but you can configure your own values to match the IP addressing scheme of the secondary network. Figure 1 shows the Alternate Configuration tab of the Internet Protocol (TCP/IP) Properties dialog box. To access this dialog box, open the Network Connections window, right-click the network connection that you want to configure, select Properties from the context menu, choose Internet Protocol (TCP/IP), click the Properties button, then select the Alternate Configuration tab. Note that this tab isn't available unless you first select the Obtain an IP address automatically option on the General tab of the Internet Protocol (TCP/IP) Properties dialog box.
Network Connections Folder
Consider yourself lucky if the Alternate Configuration settings keep your multilocation users out of the Network Connections folder. XP Pro includes a plethora of network settings that you can adjust, either using a wizard or manually, from within this folder. You'll want your users to be able to adjust some, but not all, of these settings. To determine which users can change which settings in which situations, you can use a new group to adjust the granularity of control necessary for your environment.
Network Configuration Operators Group
XP Pro features the new built-in group Network Configuration Operators, which lets you delegate network configuration management tasks. In addition to providing a measure of control over who can alter network settings, this group lets you give a local user the ability to change certain settings without making the user a member of the local Administrators group. In some cases, members of the Network Configuration Operators group can modify the TCP/IP properties to rename, enable, and disable LAN connections available to all users on the system; in other cases, these members can modify only the settings for their own connections. Group members can also delete, rename, and modify properties of remote access connections for the current user, and they can issue ipconfig release and renew commands.
To add a local user to this group, go to the Computer Management dialog box and expand the Microsoft Management Console (MMC) Local Users and Groups snap-in. Select the Groups object in the console tree and double-click the Network Configuration Operators item in the details pane. Click the Add button to enter the user's name. If you aren't sure about the syntax or spelling of the user object, click the Advanced button to query either the local user database or the Active Directory (AD) user database and choose from the available list of relative distinguished names (RDNs). After adding the name to the group, click OK to close the Network Configuration Operators Properties window.
After you add a user to the Network Configuration Operators group, the user can perform simple network configuration tasks in XP Pro, even when the user is away from the office. However, being a member of this group doesn't give the user permission to configure ICS, ICF, or Network Bridging. To configure those items, the user must have a local user account with administrative permissions. But once you grant these permissions, how do you make sure that the settings the user makes don't have a detrimental effect on your corporate network settings? The answer lies in Group Policy settings and Network Location Awareness.
Prev. page
[1]
2
next page 
