Would like to lockdown public computer

Archived from groups: microsoft.public.win2000.security (More info?)

I would like to make some computers available to some kids with social
problems and I would like to restrict their access to everything including
whether they can install something on the computer, whether they can change
the wallpaper, or the local hard disk etc without using a domain. Is this
possible? If yes can you tell me what I'll need to learn or do to make it
happen?
Also, I would like to know if it's possible to setup something like a
mandatory profile on a machine without using a domain.
Any help would be appreciated.
Thanks in advance.
3 answers Last reply
More about would lockdown public computer
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    First off make sure they are only regular users. Then on the root/drive
    folder make sure that uses have no more that read/list/execute permissions
    so that they can not install or copy files there. If you use the guest
    account, any changes they make to the computer profile/desktop while logged
    on will not be saved when they logoff. If you use the guest account be sure
    to disable file and print sharing or make sure that the everyone group does
    not have access to any shares for share permissions or ntfs permissions.

    If you assign regular user accounts make sure they are not owner of that
    user profile and then you can change permissions to the desktop folder in
    the profiles to have only read/list/execute permissions so that they can not
    change the desktop. Learn to use Group Policy. You can enable it on a local
    computer via Gpedit.msc and you will find a bunch of user restrictions under
    user configuration/administrative templates. Note that for local Group
    Policy that the restrictions will apply to all local users including
    administrators so be careful not to lock yourself out though you can always
    manage Group Policy remotely from another computer on the network using the
    Group Policy mmc snapin on the remote computer targeting the other computer.
    Mmc in the run box will open the Microsoft management Console.

    I don't know how computer savvy your kids are but you want to configure cmos
    settings on the computers to boot only from the hard drive and password
    protect the cmos settings as it is easy to reboot a computer from a floppy
    or cdrom to reset the built in administrator account so that the attacker
    can gain administrator access to the computer. If possible lock the computer
    cases as cmos settings can usually be reset by removing the motherboard
    battery for a minute. I am not sure about using mandatory profiles on a
    workgroup computer. I think you may be able to do it, but you have to create
    the mandatory profile on the local computer and then have the users account
    point to it as it's profile path using the local disk instead of a network
    share that would normally be used. You might find out that by configuring
    ntfs permissions on the users account profile and using Group Policy that
    you may be able to do most or all of what you want to do. For instance you
    could configure display properties to your liking and then use Group
    Policy/user configuration/administrative templates/control panel/display to
    prevent users from changing display settings. It might also be a good idea
    to make Ghost images of those computers for a quick reinstall in case they
    end up getting messed up somehow. If you are going to be giving them
    internet access, see the article in the link below on recommended minimum IE
    security settings and then disable their ability to change IE settings via
    Group Policy. --- Steve

    http://mvps.org/winhelp2002/unwanted.htm


    "Joe" <user@host.com> wrote in message
    news:6audnajVd55DE_ncRVn-pg@rogers.com...
    >I would like to make some computers available to some kids with social
    > problems and I would like to restrict their access to everything including
    > whether they can install something on the computer, whether they can
    > change
    > the wallpaper, or the local hard disk etc without using a domain. Is this
    > possible? If yes can you tell me what I'll need to learn or do to make it
    > happen?
    > Also, I would like to know if it's possible to setup something like a
    > mandatory profile on a machine without using a domain.
    > Any help would be appreciated.
    > Thanks in advance.
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Joe wrote:
    | I would like to make some computers available to some kids with social
    | problems and I would like to restrict their access to everything including
    | whether they can install something on the computer, whether they can
    change
    | the wallpaper, or the local hard disk etc without using a domain. Is this
    | possible? If yes can you tell me what I'll need to learn or do to make it
    | happen?
    | Also, I would like to know if it's possible to setup something like a
    | mandatory profile on a machine without using a domain.
    | Any help would be appreciated.
    | Thanks in advance.
    |
    |
    A friend of mine works in a college with a lot of students who like to
    tinker with the machines etc. He uses a product called 'Deep Freeze' to
    lock down the machines - he says it's very effective. I could put you in
    touch if you like.


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.5 (MingW32)
    Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

    iD8DBQFBZRY7qmlxlf41jHgRAkJwAJ9Hy+m0GBz/psGI5oZrccmZhRZjQQCglZGP
    tg0vBKf9A8qiNYEY4ESd+mk=
    =b6NX
    -----END PGP SIGNATURE-----
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    news:Ps39d.202135$D%.132326@attbi_s51...
    > First off make sure they are only regular users. Then on the root/drive
    > folder make sure that uses have no more that read/list/execute permissions
    > so that they can not install or copy files there. If you use the guest
    > account, any changes they make to the computer profile/desktop while
    logged
    > on will not be saved when they logoff. If you use the guest account be
    sure
    > to disable file and print sharing or make sure that the everyone group
    does
    > not have access to any shares for share permissions or ntfs permissions.
    >
    > If you assign regular user accounts make sure they are not owner of that
    > user profile and then you can change permissions to the desktop folder in
    > the profiles to have only read/list/execute permissions so that they can
    not
    > change the desktop. Learn to use Group Policy. You can enable it on a
    local
    > computer via Gpedit.msc and you will find a bunch of user restrictions
    under
    > user configuration/administrative templates. Note that for local Group
    > Policy that the restrictions will apply to all local users including
    > administrators so be careful not to lock yourself out though you can
    always
    > manage Group Policy remotely from another computer on the network using
    the
    > Group Policy mmc snapin on the remote computer targeting the other
    computer.
    > Mmc in the run box will open the Microsoft management Console.
    >
    > I don't know how computer savvy your kids are but you want to configure
    cmos
    > settings on the computers to boot only from the hard drive and password
    > protect the cmos settings as it is easy to reboot a computer from a floppy
    > or cdrom to reset the built in administrator account so that the attacker
    > can gain administrator access to the computer. If possible lock the
    computer
    > cases as cmos settings can usually be reset by removing the motherboard
    > battery for a minute. I am not sure about using mandatory profiles on a
    > workgroup computer. I think you may be able to do it, but you have to
    create
    > the mandatory profile on the local computer and then have the users
    account
    > point to it as it's profile path using the local disk instead of a network
    > share that would normally be used. You might find out that by configuring
    > ntfs permissions on the users account profile and using Group Policy that
    > you may be able to do most or all of what you want to do. For instance you
    > could configure display properties to your liking and then use Group
    > Policy/user configuration/administrative templates/control panel/display
    to
    > prevent users from changing display settings. It might also be a good idea
    > to make Ghost images of those computers for a quick reinstall in case they
    > end up getting messed up somehow. If you are going to be giving them
    > internet access, see the article in the link below on recommended minimum
    IE
    > security settings and then disable their ability to change IE settings via
    > Group Policy. --- Steve
    >
    > http://mvps.org/winhelp2002/unwanted.htm
    >
    >
    > "Joe" <user@host.com> wrote in message
    > news:6audnajVd55DE_ncRVn-pg@rogers.com...
    > >I would like to make some computers available to some kids with social
    > > problems and I would like to restrict their access to everything
    including
    > > whether they can install something on the computer, whether they can
    > > change
    > > the wallpaper, or the local hard disk etc without using a domain. Is
    this
    > > possible? If yes can you tell me what I'll need to learn or do to make
    it
    > > happen?
    > > Also, I would like to know if it's possible to setup something like a
    > > mandatory profile on a machine without using a domain.
    > > Any help would be appreciated.
    > > Thanks in advance.
    > >
    > >
    >
    >

    Thanks Steven. I appreciate your help.
    Cheers!
Ask a new question

Read More

Computers Windows