Archived from groups: microsoft.public.win2000.group_policy (
More info?)
Hi Andrew.
Your advice is right on but unless you know something I don't about Windows
2000 [entirely possible] Software Restriction Policies are not available for
it. --- Steve
"Andrew Mitchell" <amitchell@removecasey.vic.gov.au> wrote in message
news:Xns95FB3DFBE61FAA12F32EDB83F@207.46.248.16...
> =?Utf-8?B?RmFicnVzc2lv?= <Fabrussio@discussions.microsoft.com> said
>
>> I work in a school where security is always a problem. all our computers
>> are w2k.
>> The problem at the moment is students are bringing in regedit.exe on
>> disk and running it, then importing .reg files that get around security
>> set by GPO. If I did use 'run only allowed win apps' and they rename
>> their regedit.exe to winword.exe (which will be allowed of course, will
>> it still work for them?) Any ideas of other 3rd party software that can
>> get round these kind of problems. We can not upgrade to XP.
>>
>
> You can still use software restriction policies to do this on Windows
> 2000.
> I have done this on the computers of some troublesome users I have.
>
> I don't have the details in front of me but IIRC it was something like:
> -Make sure drives are formatted NTFS
> -Make sure users do not have write or update access to c:\windows or c:
> \program files.
> -Use a GPO to prevent access to and hide the C drive from Explorer.
> -Set a default software restriction policy to disallow all applications.
> -Set another policy to allow .lnk and .url files to run from "c:\documents
> and settings" (this allows shortcuts to run from the users profiles -
> Desktop, Start menu etc.)
> -Create another policy to allow any executable to run from C:\Windows and
> subdirectories and "C:\Program Files" and subdirectories. As you have made
> sure the users can't save anything here you are pretty safe.
>
> When the users open Explorer they will only see their floppy drive, 'My
> Documents", and their CD-ROM (if they have one). They will not be able to
> run executables of any name from any of these locations and will not have
> permission to copy them to c:\windows or c:\program files to run them from
> there.
> They can copy them to their desktops but, as they can only run shortcuts
> from there, they still won't run.
>
> You should also look at the policy to prevent Registry Editing tools
> running. It won't stop all such tools but it will work with Regedit (even
> if renamed) and TweakUI.
>
> --
>
> Andy.