Today I was locking down a computer lab and ran into problems with adobe photoshop 6.0. Up until now, all users were administrators on the machines that they were working on. We have had little problems and the politics are easier to deal with.
Spyware is finally taking a lot of our time, so we want to take some steps to avoid it. Running everyone as a limited user is the simplest security step to take. We just have to keep the programs that they use working. That brings us to Photoshop.
When running as a limited user, photoshop starts to load. It errors out with a message about a file that is locked. The first two obvious security setting that need to be checked are the permissions on the TEMP folder and the Program files\adobe\photoshop folder. If the TEMP folder is in the user profile, it will not be a problem. We had it redirected to c:\windows\temp and that caused us a few problems.
Photoshop also saves settings in the application folder*, so we decided to grant full access to that folder. This method worked for most programs that have problems. The registry is also a place to look, but the messages talking about locked files kept me looking at the filesystem. When that did not solve it, I looked to my toolbox for help.
I loaded up sysinternal's filemon.exe to watch what files photoshop was not able to access. It showed Photoshop trying to create and then open a temporary file (the swap file) on the root of the C: drive. I added a advanced security permition that allowed full read/write access to the drive and I checked the box that says apply to this folder only (so I don't give them full access to everything, just access to files on the C).
Finally after that, Photoshop was able to run with out any problems. I tried to search for this and could not find it. The only solution was to use FAT32 instead of NTFS when formatting. What good is a limited user if you run on FAT32.
To sum up the changes:
Give user group read/write access to c:\program files\adobe\photoshop
Give user group advanced read/write access to c:\ and ONLY apply it to "this folder only"
verify user group has read/write access to %temp% folder.
* I was working from an existing install, I did not try to reinstall it. Some programs give you the option "Just for me" or "For Everyone" and that makes a difference.