Archived from groups: microsoft.public.win2000.security (
More info?)
"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news
s39d.202135$D%.132326@attbi_s51...
> First off make sure they are only regular users. Then on the root/drive
> folder make sure that uses have no more that read/list/execute permissions
> so that they can not install or copy files there. If you use the guest
> account, any changes they make to the computer profile/desktop while
logged
> on will not be saved when they logoff. If you use the guest account be
sure
> to disable file and print sharing or make sure that the everyone group
does
> not have access to any shares for share permissions or ntfs permissions.
>
> If you assign regular user accounts make sure they are not owner of that
> user profile and then you can change permissions to the desktop folder in
> the profiles to have only read/list/execute permissions so that they can
not
> change the desktop. Learn to use Group Policy. You can enable it on a
local
> computer via Gpedit.msc and you will find a bunch of user restrictions
under
> user configuration/administrative templates. Note that for local Group
> Policy that the restrictions will apply to all local users including
> administrators so be careful not to lock yourself out though you can
always
> manage Group Policy remotely from another computer on the network using
the
> Group Policy mmc snapin on the remote computer targeting the other
computer.
> Mmc in the run box will open the Microsoft management Console.
>
> I don't know how computer savvy your kids are but you want to configure
cmos
> settings on the computers to boot only from the hard drive and password
> protect the cmos settings as it is easy to reboot a computer from a floppy
> or cdrom to reset the built in administrator account so that the attacker
> can gain administrator access to the computer. If possible lock the
computer
> cases as cmos settings can usually be reset by removing the motherboard
> battery for a minute. I am not sure about using mandatory profiles on a
> workgroup computer. I think you may be able to do it, but you have to
create
> the mandatory profile on the local computer and then have the users
account
> point to it as it's profile path using the local disk instead of a network
> share that would normally be used. You might find out that by configuring
> ntfs permissions on the users account profile and using Group Policy that
> you may be able to do most or all of what you want to do. For instance you
> could configure display properties to your liking and then use Group
> Policy/user configuration/administrative templates/control panel/display
to
> prevent users from changing display settings. It might also be a good idea
> to make Ghost images of those computers for a quick reinstall in case they
> end up getting messed up somehow. If you are going to be giving them
> internet access, see the article in the link below on recommended minimum
IE
> security settings and then disable their ability to change IE settings via
> Group Policy. --- Steve
>
>
http://mvps.org/winhelp2002/unwanted.htm
>
>
> "Joe" <user@host.com> wrote in message
> news:6audnajVd55DE_ncRVn-pg@rogers.com...
> >I would like to make some computers available to some kids with social
> > problems and I would like to restrict their access to everything
including
> > whether they can install something on the computer, whether they can
> > change
> > the wallpaper, or the local hard disk etc without using a domain. Is
this
> > possible? If yes can you tell me what I'll need to learn or do to make
it
> > happen?
> > Also, I would like to know if it's possible to setup something like a
> > mandatory profile on a machine without using a domain.
> > Any help would be appreciated.
> > Thanks in advance.
> >
> >
>
>
Thanks Steven. I appreciate your help.
Cheers!