Archived from groups: microsoft.public.win2000.security (
More info?)
Great (and finally.) !!
--
Roger
"Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
news:eqxCou9$EHA.612@TK2MSFTNGP09.phx.gbl...
> Hold that thought. There will be some forthcoming information in the very
> near future that will address this exact scenario with very prescriptive
> guidance, some tools, and excellent demonstrations.
>
> More info later.
>
>
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:%237j9zy5$EHA.2876@TK2MSFTNGP12.phx.gbl...
> > IMO there is no (well, sometimes one) reasonably simple solution.
> > Since to function for login an account must have write access in
> > some places, it is not possible to simply deny NTFS write across
> > the board.
> >
> > One can remove the many ways the OS provides to be able
> > to get at a command prompt or open access to the filesystem.
> > But one also needs to make sure that one cannot escape out
> > from the applications that are allowed to run and get to a
> > cmd prompt (or any of a number of other applications).
> >
> > XP provides the best default NTFS and registry permissions
> > of any MS OS to date in terms of helping toward your objective.
> > If you are using W2k then you have more work to do.
> >
> > With XP one can look at using Software Restriction Policy
> > to control what can execute. However, if you are in a non-domain
> > environment then this will have to be defined repetitiously on each
> > machine. Also, in XP and prior, one can set NTFS permissions on
> > applications so that the public use account has not been granted
> > execute permission on (a long list of) applications.
> >
> > Now, that said, one can also explore replacing the default user
> > shell (Explorer) with the one application that the account is
> > supposed to be able to run. This may or may not work, and if
> > it does this may or may not be what one needs.
> >
> > MS has provided some guidance and security templates for
> > typical desktop scenarios, including one for a kiosk environment.
> > It does however only go so far down the road.
> >
> > In short, SAFER (Software Restriction Policy) may be your
> > best bet after you have stripped the user interface down.
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Jell" <jell@a.com> wrote in message
news:vL3Id.10526$Vx2.4137@trndny01...
> >> I'm installing a Win2k computer with a kiosk software in my restaurant
> >> and
> > I
> >> want to allow only printing. The kiosk handles IE pretty well security
> > wise
> >> but when opening Word docs from the browser I leave my Windows files
wide
> >> open for deletion. I also do not want to allow saving to the hard
drive.
> >> I
> >> looked into securing the computer using security permissions but got in
> > way
> >> over my head. I investigated software that 'hides' files and folders
but
> >> none panned out as effective because they mainly focus on hiding things
> > like
> >> the My Documents folder which to me is the least of my concerns. I know
> > all
> >> the registry hacks to hide desktop items, Control panel, etc...
> >> Does anyone have a solution that is reasonably simple?
> >>
> >> thanks
> >>
> >>
> >
> >
>
>