Securing a Win2k Pro PC while in a hostile domain

[MisterSix]

I am developing a device that embeds a PC with Windows 2000 Pro as it's base operating system. Once installed this device may (or may not) be attached to a LAN. I have replaced the standard shell (explorer.exe) with my own dedicated application, however I permit the user certain functionality such as attaching the PC to a domain.

When this happens, and the user logs in, the domain supplies the login script to run, and can do vertually anything it wants to this PC.

So my question is, given the fact that I can setup my PCs with any configuration I need, is there a way to secure this PC so that the unknown domain cannot get access to the system, yet the PC will still be able to access resources (i.e. file servers) in the domain??

 

[karmic]

Take the machines off the domain and put them in a workgroup. Just make sure you name the workgroup the same as the domain workgrouup. You can still access shared files and printers just fine.

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[MisterSix]

Thanks Karmic, but no go.

I could not access any of the servers.

The best I have found so far, is to attach the PC to the domain, and then login LOCALLY with an account name and password that also exists in the domain.
Just dont do a domain login on that machine, otherwise the domain has full access (login scripts, SMS pushes, administrative shares, etc) to the local hard drive.

While this works, it is wierd that it does work!