Solution
The following procedure will assume you're using the built-in Guest account, and that its profile path is C:\Users\Guest
.
Preliminary steps
Log on with the Guest account, and then log off. This is just to ensure the profile gets initialized, in case it's not already.
Log on with an administrator account, and open an elevated command prompt.
Hide and prevent access to any drive but C: from My Computer
Type or paste the following commands in the command prompt, pressing Enter each time:
reg load "HKU\Guest" "%SystemDrive%\Users\Guest\NTUSER.DAT" reg add "HKU\Guest\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDrives" /t REG_DWORD /d 0x3fffffb /f reg add "HKU\Guest\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoViewOnDrive" /t REG_DWORD /d 0x3fffffb /f reg unload "HKU\Guest"
Deny access to drives and all their subfolders
Type or paste the commands below, and then press Enter:
takeown /f D: /a icacls D: /deny *S-1-5-32-546:(OI)(CI)(F)
Repeat step 1 for any other drive you want to restrict by replacing
D:
with the actual letter.
Grant read and execute access to specific folders
Execute the following command:
icacls "D:\SomeFolder" /grant:r *S-1-5-32-546:(OI)(CI)(RX)
Repeat the previous step for all other folders you want to make available to the Guest account.
Create junction points in C: drive to access specific folders
Create a dedicated container by running these commands:
md "C:\GuestDrive" icacls "C:\GuestDrive" /grant:r *S-1-5-32-546:(OI)(CI)(RX)
Create a junction point to access the actual folder:
mklink /j "C:\GuestDrive\SomeFolder" "D:\SomeFolder"
Repeat step 2 for any other required folder.