With Windows 2000 Professional (Win2K Pro), you can easily set up a home network between desktops without using a server. In addition to combining some of the best features of Windows NT Workstation and Windows 98, Win2K Pro offers many new capabilities for home networking. Among the features you can enable are file and print sharing and Internet Connection Sharing (ICS), a nifty feature that lets several computers share one Internet connection. Add to this Win2K Pro's NT-style user account management and permissions, and you have a reasonably powerful engine for home networking. Win2K Pro is also strongly backward compatible. You can introduce Win2K Pro into a peer-to-peer networking setup between Win9x clients, or introduce Win9x clients into a Win2K Pro setup.
Because Win2K Pro comes with NetBEUI and other legacy protocols, networking different generations of Windows clients isn't a problem. Most people will use TCP/IP as their primary transport protocol in a peer-to-peer Windows network. However, to resolve Windows computer names, you need to have NetBEUI installed.
Setting up a basic Win2K Pro peer-to-peer home network—a network between clients only, without a designated server—is easy. Many major players in the home networking market, such as Farallon and D-Link, have made or are making their products compatible with Win2K Pro, providing several cheap and easy home networking-specific solutions.
Choosing a Connection Technology
The first thing to do when planning your home network is to pick the type of hardware you'll use to connect your computers. In the business world, the standard network connection technology is Ethernet, which requires a NIC and dedicated physical cabling. Ethernet also requires hubs to perform the negotiation the network requires.
Many companies, such as 3Com, Intel, Linksys, and D-Link, make good Ethernet hubs. Most such companies package a kit with NICs and a hub for the small office/home office (SOHO) marketplace. (If you hesitate to open your computer to install an internal NIC, consider external USB NICs, which simply plug in to your computer's USB port.) Our favorite brand for basic Ethernet equipment is NETGEAR (http://www.netgear.com), whose SB104 starter kit costs $85 and includes a hub, some cable, and two NICs—enough to set up your network and connect two computers. The SB104 allows 10Mbps data transfer. The next step up is NETGEAR's FB104 kit, which lists for $89.99 and provides the same equipment but allows 100Mbps transfers. The hubs that come with these kits have four ports; if you plan to network more than four computers, you're better off buying the necessary pieces of equipment individually and picking up hubs with more ports.
If you're networking older Ethernet technology, you'll need 10Mbps Ethernet. Better yet, buy 10/100Base-T hubs that autosense at each port. Autosensing hubs cost more but let you mix and match equipment. A typical 8-port 10/100Base-T autosensing hub costs about $170 (street price), making it a good investment.
The downside to Ethernet is that it requires dedicated cabling. Many home networkers opt for the more economical and convenient phoneline networking technology. This technology lets you network computers by plugging them in to the same active phone line. Phoneline networking NICs slide data transfers into the phone signal. Because the NICs do the necessary negotiation, you don't need a hub, and you don't need to buy or install cable.
Many people ask us about Intel's popular, easy-to-use AnyPoint Home Network. However, AnyPoint isn't available, and probably won't become available, for Windows 2000 (Win2K). But don't be disappointed—you don't want AnyPoint anyway. AnyPoint limits you to using the phone line either to network or to make a conventional call, not both. Other more advanced technology lets the phone line support simultaneous networking and conventional phone calls, such as a dial-up connection to your ISP.
The downside to phoneline networking is that it tops out at 10Mbps transfers, and most phoneline networks run at only 1Mbps. With time, the speed of phoneline networking will increase, but Ethernet will always be faster and more powerful and is the better choice if you intend to use streaming media over your home network.
If you decide to use phoneline networking, you might want to check out D-Link's DHN-910 starter package for $119 (http://www.dlink.com). D-Link is a speed powerhouse, providing 10Mbps speed. The kit includes two phoneline NICs, phone cords, and a games CD-ROM.
Farallon (http://www.farallon.com) offers phoneline, Ethernet, and even wireless networking packages. Details were unavailable at press time because Farallon was still working on Win2K compatibility for its products. Home networkers who want to network Macs and PCs together should keep Farallon in mind, however. Cross-platform networking is Farallon's specialty, and the company has software that makes Internet connection sharing work between Macs and PCs. But if you don't need cross-platform capability, you're probably better off using another package: Farallon's phoneline networks top out at 1Mbps.
An Important Decision: FAT32 vs. NTFS
Win9x machines use FAT32, the older of the two major Windows file systems. NTFS is the newer file system. For the purpose of peer-to-peer networking, NTFS's primary advantage is that it provides additional security settings for folders and files. To see which file system a drive uses, double-click My Computer, right-click the drive, and select Properties. The information on the General tab includes which file system that drive uses.
Although NTFS is more feature-rich than FAT32, you might need to use FAT32 because systems other than Win2K and NT systems, such as Win9x, can't read local NTFS drives. For example, if you have a double-boot system with Win2K and Win98, Win98 can't read NTFS drives on the system. This limitation doesn't interfere with networked file sharing: A Win2K machine can translate a file from an NTFS drive into something a Win9x machine can understand and can serve the file to a Win9x computer. But if you format a drive on a Win9x machine as NTFS, the Win9x machine can't read files on that local drive because Win9x can't translate NTFS. Consequently, if you create a Win2K Pro and Win9x dual-boot machine, you'll most likely want to keep all your drives in FAT32.
To change file systems, you need to either convert or reformat the drive, depending on which direction you're moving. If you're moving from FAT32 to NTFS, you can simply convert the drive by using the command
convert <drive>: /fs:ntfs \[/v\]
The optional /v parameter gives you details about the conversion process as it proceeds.
Moving from NTFS to FAT32 requires backing up your drive, reformatting it, and restoring your data. To reformat a drive, open the Control Panel Administrative Tools applet and double-click Computer Management. From the Computer Management console, expand Storage in the left pane and select Disk Management. On the resulting display, right-click the drive you want to reformat and choose Format from the drop-down menu. If you're reformatting your system drive, you'll need to create a boot disk and run FDISK. For details about these procedures, see Microsoft's Help files.
Win2K Pro peer-to-peer networking can comfortably handle as many as 10 computers. (Microsoft added a software limitation to Win2K Pro to prevent you from peer-to-peer networking more than 10 machines.) Network setup involves several easy steps.
Install and configure the NICs. Your first step in setting up a Win2K Pro network is to install and configure the NICs. To install the cards, follow the instructions that accompany them. Microsoft seems to have finally ironed out the kinks in Plug and Play (PnP), so Win2K Pro will probably recognize your NIC when it starts up and might even have the correct driver on the installation disk. If not, use the driver that came with the card or download the latest driver from the card vendor's Web site. These days, many drivers come in self-installing executable files. If PnP doesn't work and you need to set up the driver manually, open the Control Panel System applet, click the Device Manager button on the Hardware tab, then locate and double-click the device's icon. In the resulting window, click the Driver tab and click either Update or Install.
Connect the computers. Physically connect your computers by using a hub and cables or a phone line, depending on the technology you're using.
Put the computers into the same workgroup. In a simple home network, you don't need to specify a domain. To specify a computer workgroup, open the Control Panel Network and Dial-Up Connections applet. Click the blue-highlighted Network Identification text link in the window's left pane, then select the Network Identification tab. Click Network ID to bring up the Network Identification Wizard. When the wizard asks whether you're a business user or a home user, specify that you're a business user and that your business doesn't use a domain. Enter a workgroup name at the prompt. Repeat this setup on every computer on your network, specifying the same workgroup name on each computer. For our example, we'll use the workgroup name Simpsons and computer names Bart, Homer, and Maggie.
Set up user accounts on each computer. You have two ways to let users access another networked computer. One way is to set up a guest account on each computer and give everyone the password for each guest account. Whenever a user initiates a session with a networked computer, the remote computer will prompt the user to enter the password. With this approach, users must remember a different password for each networked computer.
The better way to manage user accounts on a peer-to-peer network is to give each user one username and password for accessing all networked computers. When you log on to your computer Homer and then try to access Bart, Homer sends Bart your username and password. If you've set up that same account on Bart, Bart will let you in without prompting you to reenter your password.
To set up user accounts on each computer, first decide on a username and password for each user. Then, on each networked computer, open the Control Panel Users and Passwords applet. Enter the username and password, then click Add and follow the wizard's instructions. If you change a user's password, you must change it on each computer.
You can also use the Advanced tab in the Users and Passwords window to set up groups in a peer-to-peer network. You can assign each user to a group, then assign permissions by group. However, be aware that each computer maintains its own Groups list, so you must add each group member to the group list on every computer. In our experience, setting up groups in a home peer-to-peer network is rarely worth the trouble. You can easily introduce small differences by accident into Groups lists on different computers. Such errors cause no end of seemingly incomprehensible network behavior and require you to spend a lot of time to locate and identify the problems.
Share a disk, folder, or file. Win2K Pro automatically installs the components you need for file and print sharing, making sharing setup almost a no-brainer. On any networked computer, pick something you want to share—a file, a folder, or even an entire disk. (If you frequently connect to the Internet, we strongly advise you, for security reasons, not to share your whole disk.) Right-click the file, folder, or disk's icon, and select Sharing. On the Properties window that pops up, change the setting from Do not share this folder to Share this folder. We recommend leaving User limit set to Maximum allowed. In a peer-to-peer network limited to 10 connections, not much danger exists of overtaxing your computer. If you start to experience long lag times when several people access one file or folder, you can change this setting to decrease the number of users who can simultaneously share a folder.
Note that you can also change the folder's permissions. The number-one mistake people make in Windows peer-to-peer networking is inadvertently sharing folders they mean to keep private. To ensure that you don't make that mistake, you must understand permissions and inheritance, which we explain in detail later.
Share a printer. Sharing a printer works almost the same way as sharing folders does. On the computer to which the printer is attached, click Start, Settings, Printers. Right-click the printer icon, select Properties, click the Shared As radio button, then click OK. That printer is now available to all users who have access to your network. On other computers from which you want to be able to use that printer, click Start, Settings, Printers. Double-click the Add Printer icon to start the Add Printer Wizard. In the first dialog box, choose Network printer to define the shared printer on the local machine. After you define the printer locally, the local computer's user can use the networked printer as easily as if it were connected locally.
Accessing shared resources. To access a shared file, open My Network Places. Find and double-click the icon for the computer that has the file you want. A window opens and shows the root directory for shared files on that computer. The root directory contains icons for every shared folder. If you have full access to those folders, you can do everything with them that you can do with folders on your own computer (e.g., create new subfolders, rearrange contents, delete files).
Some applications can't use Uniform Naming Convention (UNC) share names to store and access files on remote computers. For a solution to that problem, see the sidebar "Mapping a Network Drive."
Inheritance and Permissions
As we've mentioned, the most common mistake many people make in peer-to-peer networking is sharing folders they mean to keep private. To avoid this mistake, you need to understand the rules of inheritance.
By default, all folders and documents that are within a shared folder inherit the shared folder's permissions settings. In other words, a shared folder's permissions propagate to all the folders and documents that the folder contains. Thus, when you share a folder, you also share everything in that folder's subfolders. By default, permissions propagate to all of a shared folder's subfolders even if you specify that you don't want to share one of the subfolders. You can't limit access to folders and documents that reside in shared folders on an NTFS hard disk unless you modify the default permissions. On FAT32 drives, you can't change the default permissions, so you can't limit access to folders and documents that reside in shared folders no matter what you do.
Let's look at an example. On your computer Homer, you create a folder called My Stuff that you want to share with everybody on the network. Within My Stuff, you create a subfolder called Private Things that contains things you want to keep private from other network users. You right-click My Stuff and select Sharing. On the Properties window, you click the Permissions button to access the Permissions dialog box. As you can see when you initially access this dialog box, the default permissions setting gives Everyone Full Control. When Everyone has Full Control, anyone who can access any networked computer can edit and delete any files in shared folders. To deny Everyone all access to Private Things, you open Private Things' Permissions dialog box and select Deny for Full Control, Change, and Read.
Now, from the computer Maggie, you double-click My Network Places, then double-click the Homer icon to access Homer's shared files. Homer's root shared directory appears, and it contains the folder My Stuff. When you open My Stuff from Maggie, you see Private Things. You double-click Private Things from the root directory and get an Access Denied message, as you'd expect.
If you open My Stuff, you'll see Private Things again. However, if you double-click Private Things from inside My Stuff, Private Things opens and lets you access everything in it. This behavior is definitely not what you'd expect. Whenever you explicitly set permissions for a folder, that folder's icon appears directly in the root shared directory. But if that folder is inside a shared folder, the subfolder's icon also appears inside the shared folder. I like to call each appearance of an icon a "ghost." A folder can have many ghosts. If folder A is inside folder B, which is inside folder C, which is inside folder D, and you allow or deny permissions specifically to each folder, then folder A will have four ghosts. And those ghosts can behave differently from folder A when you access it directly from the root directory.
In our example, Private Things has two ghosts—one in the root shared directory and another within the folder My Stuff. Under Win2K Pro's default inheritance, these two ghosts behave quite differently. The ghost that appears in the root directory doesn't share itself, but the ghost that appears inside the shared folder My Stuff does share itself. Under the default inheritance settings, all ghosts that appear inside a shared folder share that folder's permissions settings. So, the ghost of Private Things in the root shared directory follows the directions we gave Private Things—to deny access. But the ghost of Private Things that appears in My Stuff follows the directions we gave to My Stuff and shares itself.
If your Win2K Pro machine uses NTFS, you can change this behavior. Right-click Private Things, select Properties from the menu, and click the Security tab. You'll see that the Allow inheritable permissions from parent to propagate to this object check box at the bottom of the window is selected, as Screen 1 shows. When the check box is selected, the ghost of Private Things that appears inside My Stuff has the same permissions that My Stuff has. If you click the check box to clear it, a Security dialog box pops up. Click the Remove button to disable inheritance for the Private Things folder and keep it private.
If your computer uses a FAT32 disk, the Security tab doesn't exist. Consequently, you can't change the rules of inheritance, and you can't prevent Private Stuff from inheriting My Stuff's permissions settings. In this case, you're stuck with having one shared version of Private Stuff and one unshared version. If you don't want to share Private Stuff, you must move the folder out of the My Stuff folder. With FAT32, if you don't want to share a folder, you must make sure the folder doesn't reside inside another folder that you do share.
You can set different permissions for individual users. Let's say I have an accounting program that I want my wife Maggie, but not my son Bart, to be able to access. From the Permissions window, you can highlight users individually and modify their permissions. I bring up the Sharing menu for the relevant folder and click the Permissions button. By default, permissions are set to apply to Everyone. I select Everyone and click Remove, as Screen 2 shows, then I click Add to bring up the Select Users, Computers, or Groups window. I click Maggie, then click Add and give Maggie the permissions I want her to have. As long as you create the same usernames and passwords on each computer, as we described earlier in "Setup Basics," you can use the Permissions dialog box to allow each user the proper access no matter what computer the user is logged on to.
Internet Connection Sharing
ICS lets networked computers share a single Internet connection. The Internet connection can be a Digital Subscriber Line (DSL), cable modem, or dial-up connection. With ICS, Maggie can trade stocks and pay bills online while Homer checks his email and Bart hits the chat boards, all through an Internet connection on just one of the networked computers. (You can think of ICS as basically a miniature version of Proxy Server that comes with Win2K Pro.)
A networked computer that has an Internet connection serves as the Internet gateway. To make a computer a gateway, open the computer's Network and Dial-Up Connections applet and right-click the icon for the Internet connection that you want to share. Select Properties from the pop-up menu. On the Sharing tab, select the Enable Internet connection sharing for this connection check box.
To let your other networked computers use the Internet gateway, you need to configure them as clients to the gateway computer. To make a Win2K Pro computer a client, open the client's Network and Dial-Up Connections applet. Right-click the network connection that the client computer uses to access the gateway computer, and select Properties. Under the Components checked are used by this connection heading, click Internet Protocol (TCP/IP). Click Properties, and select the Obtain an IP address automatically check box. (Note that if you want to set static IP addresses, you need to know that ICS requires you to set clients to a certain range of IP addresses. For details about this requirement, see the Win2K Pro Help file.)
Then, you need to configure the computer's Web browser. We'll configure Microsoft Internet Explorer (IE) as an example. On IE's Tools menu, select Internet Options. Click the Connections tab, select the Never dial a connection button, and click LAN Settings. Under the Automatic configuration heading, clear the Automatically detect settings and Use automatic configuration script check boxes. Under the Proxy server heading, clear the Use a proxy server check box.
You can even enable on-demand dialing on your peer-to-peer network. On-demand dialing lets a client computer connect to the Internet even if the gateway computer isn't connected. For example, if you enable on-demand dialing on your gateway computer Bart, someone working on Maggie can double-click the Netscape Navigator icon, and Bart will automatically dial out and provide an Internet connection over the local network to Maggie. Bart must be on but can be unattended. To enable on-demand dialing, open the Network and Dial-Up Connections applet on the gateway computer. Right-click the LAN connection, select Properties, and select the Enable on-demand dialing check box.
A Word to the Wise: Security, Firewalls, and More
If you use an always-on connection, such as DSL or a cable modem, we advise you to implement some sort of firewall system. Firewalls offer protection against intruders. Because your network is vulnerable to intrusions whenever it's connected to the Internet, you are most in need of protection if you're always connected. If all of your computers are networked and always connected and if you have no firewall, an intruder could easily penetrate your network and manipulate files in any connected computer.
Software-based home-network firewalls include WinGate Home 3.0 (http://wingate.deerfield.com—$39.95 for a three-user license), Sybergen SyGate for Home Office 3.11 (http://www.sybergen.com/products/ gate_ov.htm—$39.95 for a three-user license), and Network ICE's BlackICE Defender (http://www.networkice.com—$39.95). WinGate Home and Sybergen SyGate for Home Office are ICS products that include a firewall. BlackICE Defender is a firewall-only product and seems to garner the best reviews in the software-only class. These products seal off your network, alert you to intrusions, and perform other security basics. The vendors designed these products for SOHO use, and the products are relatively easy to use. Sybergen SyGate for Home Office and WinGate Home are fully functional on Win2K Pro. A Win2K version of BlackICE Defender is under development.
Another firewall option is to purchase a dedicated piece of equipment, such as WatchGuard Technologies' WatchGuard SOHO (http://www.watchguard.com/products/soho.html) or the SonicWALL SOHO 10 (http://www.sonicsys.com). These machines, which sit between your computer and the line out, offer plenty of security at a relatively high cost—$275 and up.
If you have DSL, check with your ISP before purchasing a firewall product. The ISP's DSL router might have built-in firewall capabilities.
Hardly a day goes by without a company announcing a new product line aimed at the SOHO market. We expect new products to continue to appear. Initially, most will be aimed at Win9x, but many will be Win2K Pro-compatible, and eventually the marketplace will shift toward Win2K Pro. You don't need to wait, though; Win2K Pro offers all the capabilities you need today.