Question:
At our school we have a Windows NT Server network (10O Base T and 10 Base T mix) for our students to use. We have a five-station peer-to-peer Windows 95/98 network in our office. My question is: We would like to access the student network (NT) from the office, without letting students access our office network. Do we set up one of the office machines as a “router,” with two NICs so it particpates in both networks? If so, does this computer have to be NT? Server or workstation? Or, if the peer-to-peer machines are reconfigured to participate in the NT network (get validated at the PDC), can we expect enough security so that the students can’t access our office computers (that is, not even see them)?

Answer:
If you are going to use the peer-to-peer capabilities of Win95, be sure to set the validation level on each machine to “User-level access control,” not the default “Share-level access control.” With this setting, you can deny access to individuals or, preferably, groups, to any resource on the Win95 machines. However, you will have to make sure each Win95 machine is set up correctly. An easier way might be to disable LM Authentication on the NT machines. (See the MSDN article “How To Disable LM Authentication on Windows NT.”) The effect of this is that an NT machine cannot be authenticated.

“Level 0: Send LM and Windows NT authentication (default).
Level 1: Send Windows NT authentication and LM authentication only if the server requests it.
Level 2: Never send LM authentication.

“If a Windows NT client selects level 2, it cannot connect to servers that support only LM authentication, such as Windows 95 and Windows for Workgroups.”