Allowing only IE and nothing else - possible?

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

What's the best way to lock down a user account so that only IE can be used
and nothing else - and no files or folders, drives or context menus can be
accessed or file dialogs or active x, etc components can gain access to any
parts of my win2k system except through threat of torture whilst sitting
behind the user? Anyone? And yes I'm serious. No jokes please...

TIA

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I haven't tried it in a long time but you used to be able to set
iexplore.exe as the shell rather than explorer.exe which caused only IE to
be run at logon, but you still had to use poledit or group policy (or local
policy) to lock down all the drives and programs you didn't want to be run,
the run command, etc...

If you search the web for more info, use the word "kiosk" as that's
typically the purpose for a machine that is locked down that tightly.

--
Mike Shepperd
MCSE NT4, 2000, 2003
NewFuture Consulting
Seattle, Washington


<nospam@nospam.com> wrote in message
news:dajkum$t5d$1@nwrdmz01.dmz.ncs.ea.ibs-infra.bt.com...
> What's the best way to lock down a user account so that only IE can be
> used and nothing else - and no files or folders, drives or context menus
> can be accessed or file dialogs or active x, etc components can gain
> access to any parts of my win2k system except through threat of torture
> whilst sitting behind the user? Anyone? And yes I'm serious. No jokes
> please...
>
> TIA
>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

try this link

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/csws2003.mspx

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

> try this link
>
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/csws2003.mspx

Thanks for the info - as its a Windows 2000 Pro machine with no domains,
etc, the link above really isn't suitable for a single two user account pc -
its all aimed at enterprise wide scenarios. Plus when I installed the gpmc
it told me to log in using a domain admin account, which obviously I don't
have...

But thanks for the suggestions - a kiosk user with the ability to log off
and connect to internet to run ie is all I need, so I'll keep fishing about.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Many of the Group Policy settings are available for the local policy on
Windows 2000 Professional. The information is geared towards the
enterprise, but can be very helpful in showing the changes that need to be
made on a standalone machine.

The suggestion I had given previously was incomplete regarding the alternate
shell but the Microsoft docs showed the proper syntax of "iexplore.exe -k"
which you should be able to set manually in the registry, or maybe through
local policy.

Unfortunately, I don't have a 2000 machine to play with here, so I can't put
it together for you, but using the info on that page might get you the
results you're looking for.

Good luck,

--
--
Mike Shepperd
MCSE NT4, 2000, 2003
NewFuture Consulting
Seattle, Washington


<nospam@nospam.com> wrote in message
news:dalvob$f5v$1@nwrdmz01.dmz.ncs.ea.ibs-infra.bt.com...
>> try this link
>>
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/csws2003.mspx
>
> Thanks for the info - as its a Windows 2000 Pro machine with no domains,
> etc, the link above really isn't suitable for a single two user account
> pc - its all aimed at enterprise wide scenarios. Plus when I installed the
> gpmc it told me to log in using a domain admin account, which obviously I
> don't have...
>
> But thanks for the suggestions - a kiosk user with the ability to log off
> and connect to internet to run ie is all I need, so I'll keep fishing
> about.
>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Ok, quick google search turned up this:
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Miscellaneous/LockdownbygroupusingLocalComputerPolicywithoutActiveDirectory.html

Shows the details needed to lock down a Windows 2000 system using local
policy and changing the needed permissions to lock out specific user
accounts and allow full access to others.

This should cover everything you're looking for.

--
--
Mike Shepperd
MCSE NT4, 2000, 2003
NewFuture Consulting
Seattle, Washington


"Mike Shepperd" <mikesmobile_|_gmail> wrote in message
news:SrudndjdcP8wKFPfRVn-ig@comcast.com...
> Many of the Group Policy settings are available for the local policy on
> Windows 2000 Professional. The information is geared towards the
> enterprise, but can be very helpful in showing the changes that need to be
> made on a standalone machine.
>
> The suggestion I had given previously was incomplete regarding the
> alternate shell but the Microsoft docs showed the proper syntax of
> "iexplore.exe -k" which you should be able to set manually in the
> registry, or maybe through local policy.
>
> Unfortunately, I don't have a 2000 machine to play with here, so I can't
> put it together for you, but using the info on that page might get you the
> results you're looking for.
>
> Good luck,
>
> --
> --
> Mike Shepperd
> MCSE NT4, 2000, 2003
> NewFuture Consulting
> Seattle, Washington
>
>
> <nospam@nospam.com> wrote in message
> news:dalvob$f5v$1@nwrdmz01.dmz.ncs.ea.ibs-infra.bt.com...
>>> try this link
>>>
>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/csws2003.mspx
>>
>> Thanks for the info - as its a Windows 2000 Pro machine with no domains,
>> etc, the link above really isn't suitable for a single two user account
>> pc - its all aimed at enterprise wide scenarios. Plus when I installed
>> the gpmc it told me to log in using a domain admin account, which
>> obviously I don't have...
>>
>> But thanks for the suggestions - a kiosk user with the ability to log off
>> and connect to internet to run ie is all I need, so I'll keep fishing
>> about.
>>
>
>