Locking down 2000 Pro for Public 1

[Dreddnews]

My company does property management, and wish to have a public pc available for people to use to check email with Iexplorer and to do Word and Excel documents. We want this machine to be locked down and not be able to make changes to the computer, nor save on the computer. Only be able to save on the floppy. I'm not quite sure on how to do this. Any help or link to how to do this would be great. Thanks,

-Damon

 

[doggammit76]

I am acutally using a software to lock down my Windows 9x machine at work. Its an educational institution and we do get loads of crap installed/saved into the computers.

Theres two type of "lockdowns" you can get. Either a hardware one or a software one.

Basically a hardware one will take a snapshot of your harddrive and saves it in a hidden area. So everytime your PC boots, it'll reload this snap shot so you'd have the same configs as before. One drawback abt this though is that it kinda slows down the PC in terms of starting up.It also takes a couple of hundred MBs of your harddisk to store the snapshot.

Software ones usually limits the use of the features in Windows. You can set to block users from altering settings or saving onto harddisks. Be forwarned though, experienced users can bypass this feature at boot up.


Heres one hardware link:

http://www.quancom.de/quancom/quanc...tp://www.quancom.de/qprod01/eng/pb/pwdog1.htm

Heres a software link:

http://www.tropsoft.com/pcsecurity/

Information is free....dont hog it!

 

[wreave]

Is the public PC formatted for NTFS? If it is, then you may not need any extra software or hardware, because with NTFS you can fine-tune file and folder permissions for different kinds of user groups. (And the OS is Win2k, right?)

 

[InfrArch]

use local user that is putted into local Users group. Review NTFS permissions on local drive. Compile IE for your needs using IEAK. Set up windows shell to launch not explorer.exe but iexplore.exe (if appropriate in your situation)
no additional software is required!

Victor K
psas@canada.com
MCSE+I;MCSA;MCSE(w2k);CNE(5.1);MCNE(6);CIWSP;CIWSA.

 

[Dreddnews]

Yes the PC is Windows 2000. So how would I disallow access to control panel and to change system settings like the taskbar and icons on desktop?

-Damon

 

[doggammit76]

Dredd

U might need to tweak your registry a little for that.

Heres a site that should give u all you need for that purpose.

http://www.winguides.com/registry/

Remember, always buckup your registry before doing anything.

Hope this helps. Information is free....dont hog it!

 

[pweegar]

You might also take a look at the group policy editor.Disable services and apps from it. Gives you lots of control over what goes where...

 

[wreave]

Dredd -
you can use Group Policy to get alot of what you're after, I think. Group Policy has a set of administrative templates that are alternatives to editing the registry directly.

1) Run gpedit.msc (you have to be logged on as an administrator)
2) Expand User Configuration, then expand Administrative Templates.

You'll see folders labelled:
"Start Menu & Taskbars"
"Desktop"
"Control Panel" and
"System"
among others.

You can then configure various policies to restrict access or hide things from users. For example, in "Start Menu & Taskbars" you can disable changes to the Taskbar and Start Menu settings, or you can remove specific items from the Start menu.

Under "Desktop" you can disable adjusting the desktop toolbars, disable dragging, dropping and closing the Toolbar's tools, and tell the system not to save any settings at exit.

Under Control Panel, you have various options about what control panel apps are available to users - including none. And under System, you can limit what programs users can run.

One other thing you could do - visit your favorite local computer retailer and ask them what they've done to protect the systems they've set out for public display. May save you some time -

 

[Dreddnews]

Yea I tried to edit the registry directing and had some things not work with it. The group policy editor seems to be my best bet. I'll work on it some this week and let you know of my progress. Thanks everyone!

 

[CitrixEngineer]

We solved this by formatting the PCs and installing DOS on FAT32. I then installed a Citrix DOS ICA client, and removed enough files so that the PC could not boot by itself.

I then created a bootable floppy disk with enough information to automatically load the ICA client.

Using MetaFrame and GPO, I locked down IE so that was the only program the public could use. The home page was an NFuse web page containing the programs we allowed them to use and nothing else.

Using shadowing, I could STILL see users trying to hack the system...

Had a couple of users try to reboot using the power switch (which we had hidden). Of course, the PC would not boot without the floppy disk "key"

Hope this is of some help

CitrixEngineer@yahoo.co.uk

 

[Dreddnews]

Well I like the settings in Group Policy... But how do I use it to keep the administrator from being locked down at the same time? In other words, how do I use it for all users but administrator?

 

[GrnEyedLdy]

Dreddnews,

You will need to check the boxes for Read and Apply on the security tab for those that you want effected by this GPO. Do not check Apply for the Administrators group and this GPO will not apply to them. Remember, Administrators are part of the Everyone group, so if you Apply to the Everyone group, that will include Admins.

Hope this helps,

Patty

 

[SMcElvana]

As long as you're not running Group policy, try this. Go into your local Security settings as an Author. Add the snap-in for Group Policy and Security Templates. When group policy isn't in place on the network, the Group policy snapin sets itself up for local security policy. In the new folders will be everything from hiding Control Panel icons to setting Internet Explorer restrictions. Works like a charm on the local machine. As far as I know, you will have to make the settings on each machine manually. But I think you said just one workstation.

Sue

 

[apkashyap]

ok, so i enabled/disabled all that apply in the gpedit.msc. where do i specify that the changes made to the policy in the gpedit.msc must be effective only to the users and not the administrator? i didnt find any check/security boxes for read and apply in the gpdit.msc. am i missing something here?

i am new to this so pls help me out.

thanx in advance

prajwal

 

[uctxs]

I know you have alot of suggestions. But I recommend using a program called Deep Freeze. Once intalled on your workstations nothing can be changed or saved to the pc. Once the PC is rebooted it is back just as it was before anyone messed with it. Then if you need to add something to it there is Admin Priv. available then just lock it back. This program is a very powerful tool and works great. We currently use it on over 480 workstation at our local college and havent had any probs since we installed.

 

[FGaumond]

Hey nobody answer this question and I would be happy to know the answer, did someone does ?

----
apkashyap (IS/IT--Manageme) Nov 26, 2002
ok, so i enabled/disabled all that apply in the gpedit.msc. where do i specify that the changes made to the policy in the gpedit.msc must be effective only to the users and not the administrator? i didnt find any check/security boxes for read and apply in the gpdit.msc. am i missing something here?

i am new to this so pls help me out.

thanx in advance

prajwal

 

[temporaryhandle]

I searched around and here's the closest thing I found to an answer (to how to apply policies only to non-administrators using Windows 2000 Professional):

HOW TO: Apply Local Policies to all Users Except Administrators on Windows 2000 in a Workgroup Setting

http://support.microsoft.com/defaul...port/kb/articles/Q293/6/55.ASP&NoWebContent=1

It's a weird process, it's inconvenient, and it requires you to temporarily assume whatever policies you wish to apply to others (can be dangerous!). But it's the only thing I've found that works.

 

[FGaumond]

Thanks

I've found it too, if you have to do it to several computers just put your admin.pol and your user.pol on a floppy and it,s very simple to apply them. It's just long the first time, you have to actuivate your policies and disabled thme after for the admin, but it does the job very well.

 

[rakone]

So the only way to (apply policies only to non-administrators using Windows 2000 Professional)is to follow the instructions on Microsoft’s site given by temporaryhandle. (thanks temporaryhandle). So what was this post about then?

“GrnEyedLdy
You will need to check the boxes for Read and Apply on the security tab for those that you want effected by this GPO. Do not check Apply for the Administrators group and this GPO will not apply to them. Remember, Administrators are part of the Everyone group, so if you Apply to the Everyone group, that will include Admins”

Because like the others I didn’t find it either I was just curious.

Thanks

 

[rakone]

Please help
(Running win 2000 in workgroup with no domain)

OK for anyone who has followed the steps to

"HOW TO: Apply Local Policies to all Users Except Administrators on Windows 2000 in a Workgroup Setting"
at this link

http://support.microsoft.com/defaul...port/kb/articles/Q293/6/55.ASP&NoWebContent=1

Can some please explain to me what does step 10 mean?
What policy's did i disable does that mean for all the polciy's i don't use i have to set each one to disable then enable them all in step 10?

Also step 9 says to copy the changed registry but what if one of the policy's I enable is to block access to the hardrives? Does it mean I can't do this.

Thanks for anyone who can help.