Sign in with
Sign up | Sign in
Your question

Setting up new users

Tags:
  • Security
  • Computers
  • Microsoft
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
March 11, 2005 11:03:00 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi everyone,



I am faced with the following challenge and would really appreciate if you
could help or point me in the right direction.



We have two computer running Win 2000 Pro.

We would like to give a public access to this computer so anyone coming in
can use them.



My challenge is to:

1 Create an account on each computer with the following restrictions:

- Users cannot change any settings on the computer.

- Users cannot right click.

- Users cannot download files from the Internet

- Users cannot create files or folders

- Users can only access sites approved by us

2 Does any of you know of a cheap software, which will allow us:

- How long people have been on the Internet

- Have the printed anything



Thanks a lot in advance.



Anguel

More about : setting users

Anonymous
a b 8 Security
March 12, 2005 1:29:24 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Your best bet would to be to use Windows XP Pro which can use Software
Restriction Policies for such computers. However for Windows 2000 what you
could do is to let the users logon as the guest account. You can give the
guest account a password if you want and configure the account so that the
password can not be changed. Enabling the guest account however will allow
any user network access to the computer that has the everyone group
configured in permissions for a share folder so keep that in mind. If you
want to use a regular user account you would want to modify permissions to
that users profile to be only read/list/execute. A local administrator would
need to take ownership of that folder first to do such.

The guest account will use a profile that will be deleted when the user logs
off. Make sire that the root/drive folder has no more than read/list
permissions for the everyone group. Also make sure that the guest account
has deny permissions to the \documents and settings\all users\shared
documents folder. You can use ntfs permissions to prevent the guest account
from running applications you do not want them to access such as folders in
the program files folder.

Use Group Policy to restrict the users further. Local Group Policy is
invoked with the gpedit.msc command but keep in mind that by default local
Group Policy applies to ALL users that logon to a computer - even
administrators. You will find the most useful settings under user
configuration/administrative templates in the various categories. Be sure to
read full explanation of settings before enabling. Settings for "context
menu" will disable right click at various places in the operating system. An
administrator could still access Group Policy from another computer on the
network to manage Group Policy if he locked himself out by using the mmc
snapin for Group Policy on the remote computer and browsing to the locked
down computer. The admin would want to logon to the remote computer with an
account that has admin powers on the locked down computer.

You could configure Internet Explorer so that the internet Web Content Zone
[ tools/internet options/security/custom] will not allow downloads and that
will prevent downloads through Internet Explorer. As far as printing you
could go to printers and faxes, select file/server properties and enable log
spooler information events in the advanced tab. The part about restricting
internet access and monitoring access is best done at your firewall which
may or may not have the abilities you need. Microsoft ISA 2004 can certainly
do such but is not cheap - around $1500 installed on a server operating
system. You could try using IE Content Advisor to restrict where users can
go which may or may not work well depending on the amount of sites you want
to allow access to and the type of sites as many sites are a bunch of links
to other sites. Another option may be to use an internet monitoring software
package such as Net Nanny or Cyber Patrol. Many of them have free trial
downloads. If the budget allows many lower priced firewalls offer a
subscription content service where you pay a small monthly fee and the
service will help prevent users from accessing websites which you deem
inappropriate. Such an investment most likely would prove well worth while.
The links below may help. --- Steve

http://www.netnanny.com/
http://www.cyberpatrol.com/internet_monitor.aspx
http://www.sonicwall.com/products/tz170.html

"Anguel Iordanov" <adiaxissm@hotmail.com> wrote in message
news:eohb6ChJFHA.1392@TK2MSFTNGP10.phx.gbl...
> Hi everyone,
>
>
>
> I am faced with the following challenge and would really appreciate if you
> could help or point me in the right direction.
>
>
>
> We have two computer running Win 2000 Pro.
>
> We would like to give a public access to this computer so anyone coming in
> can use them.
>
>
>
> My challenge is to:
>
> 1 Create an account on each computer with the following
> restrictions:
>
> - Users cannot change any settings on the computer.
>
> - Users cannot right click.
>
> - Users cannot download files from the Internet
>
> - Users cannot create files or folders
>
> - Users can only access sites approved by us
>
> 2 Does any of you know of a cheap software, which will allow us:
>
> - How long people have been on the Internet
>
> - Have the printed anything
>
>
>
> Thanks a lot in advance.
>
>
>
> Anguel
>
>
>
Anonymous
a b 8 Security
March 15, 2005 12:26:58 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Steve,

Thank you very much for the reply. What you are saying makes sense, however

I am not really sure how to do it. Is there a step by step guide? Or any

articles I can read?

Thanks a lot.

Anguel




"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:#R1$nvrJFHA.2648@TK2MSFTNGP14.phx.gbl...
> Your best bet would to be to use Windows XP Pro which can use Software
> Restriction Policies for such computers. However for Windows 2000 what you
> could do is to let the users logon as the guest account. You can give the
> guest account a password if you want and configure the account so that
the
> password can not be changed. Enabling the guest account however will allow
> any user network access to the computer that has the everyone group
> configured in permissions for a share folder so keep that in mind. If you
> want to use a regular user account you would want to modify permissions to
> that users profile to be only read/list/execute. A local administrator
would
> need to take ownership of that folder first to do such.
>
> The guest account will use a profile that will be deleted when the user
logs
> off. Make sire that the root/drive folder has no more than read/list
> permissions for the everyone group. Also make sure that the guest account
> has deny permissions to the \documents and settings\all users\shared
> documents folder. You can use ntfs permissions to prevent the guest
account
> from running applications you do not want them to access such as folders
in
> the program files folder.
>
> Use Group Policy to restrict the users further. Local Group Policy is
> invoked with the gpedit.msc command but keep in mind that by default local
> Group Policy applies to ALL users that logon to a computer - even
> administrators. You will find the most useful settings under user
> configuration/administrative templates in the various categories. Be sure
to
> read full explanation of settings before enabling. Settings for "context
> menu" will disable right click at various places in the operating system.
An
> administrator could still access Group Policy from another computer on the
> network to manage Group Policy if he locked himself out by using the mmc
> snapin for Group Policy on the remote computer and browsing to the locked
> down computer. The admin would want to logon to the remote computer with
an
> account that has admin powers on the locked down computer.
>
> You could configure Internet Explorer so that the internet Web Content
Zone
> [ tools/internet options/security/custom] will not allow downloads and
that
> will prevent downloads through Internet Explorer. As far as printing you
> could go to printers and faxes, select file/server properties and enable
log
> spooler information events in the advanced tab. The part about restricting
> internet access and monitoring access is best done at your firewall which
> may or may not have the abilities you need. Microsoft ISA 2004 can
certainly
> do such but is not cheap - around $1500 installed on a server operating
> system. You could try using IE Content Advisor to restrict where users can
> go which may or may not work well depending on the amount of sites you
want
> to allow access to and the type of sites as many sites are a bunch of
links
> to other sites. Another option may be to use an internet monitoring
software
> package such as Net Nanny or Cyber Patrol. Many of them have free trial
> downloads. If the budget allows many lower priced firewalls offer a
> subscription content service where you pay a small monthly fee and the
> service will help prevent users from accessing websites which you deem
> inappropriate. Such an investment most likely would prove well worth
while.
> The links below may help. --- Steve
>
> http://www.netnanny.com/
> http://www.cyberpatrol.com/internet_monitor.aspx
> http://www.sonicwall.com/products/tz170.html
>
> "Anguel Iordanov" <adiaxissm@hotmail.com> wrote in message
> news:eohb6ChJFHA.1392@TK2MSFTNGP10.phx.gbl...
> > Hi everyone,
> >
> >
> >
> > I am faced with the following challenge and would really appreciate if
you
> > could help or point me in the right direction.
> >
> >
> >
> > We have two computer running Win 2000 Pro.
> >
> > We would like to give a public access to this computer so anyone coming
in
> > can use them.
> >
> >
> >
> > My challenge is to:
> >
> > 1 Create an account on each computer with the following
> > restrictions:
> >
> > - Users cannot change any settings on the computer.
> >
> > - Users cannot right click.
> >
> > - Users cannot download files from the Internet
> >
> > - Users cannot create files or folders
> >
> > - Users can only access sites approved by us
> >
> > 2 Does any of you know of a cheap software, which will allow us:
> >
> > - How long people have been on the Internet
> >
> > - Have the printed anything
> >
> >
> >
> > Thanks a lot in advance.
> >
> >
> >
> > Anguel
> >
> >
> >
>
>
Anonymous
a b 8 Security
March 16, 2005 1:44:14 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Here are a couple of links. The first is some software that claims it can do
much of what you want and the last link is to the Windows 2003 Deployment
Kit which contains some excellent documentation of using a managed
environment. --- Steve

http://www.sharewareconnection.com/advanced-internet-ki...

http://www.microsoft.com/resources/documentation/Window...

"Anguel Iordanov" <adiaxissm@hotmail.com> wrote in message
news:uQ9XAyNKFHA.3132@TK2MSFTNGP12.phx.gbl...
> Hi Steve,
>
> Thank you very much for the reply. What you are saying makes sense,
> however
>
> I am not really sure how to do it. Is there a step by step guide? Or any
>
> articles I can read?
>
> Thanks a lot.
>
> Anguel
>
>
>
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:#R1$nvrJFHA.2648@TK2MSFTNGP14.phx.gbl...
>> Your best bet would to be to use Windows XP Pro which can use Software
>> Restriction Policies for such computers. However for Windows 2000 what
>> you
>> could do is to let the users logon as the guest account. You can give the
>> guest account a password if you want and configure the account so that
> the
>> password can not be changed. Enabling the guest account however will
>> allow
>> any user network access to the computer that has the everyone group
>> configured in permissions for a share folder so keep that in mind. If you
>> want to use a regular user account you would want to modify permissions
>> to
>> that users profile to be only read/list/execute. A local administrator
> would
>> need to take ownership of that folder first to do such.
>>
>> The guest account will use a profile that will be deleted when the user
> logs
>> off. Make sire that the root/drive folder has no more than read/list
>> permissions for the everyone group. Also make sure that the guest account
>> has deny permissions to the \documents and settings\all users\shared
>> documents folder. You can use ntfs permissions to prevent the guest
> account
>> from running applications you do not want them to access such as folders
> in
>> the program files folder.
>>
>> Use Group Policy to restrict the users further. Local Group Policy is
>> invoked with the gpedit.msc command but keep in mind that by default
>> local
>> Group Policy applies to ALL users that logon to a computer - even
>> administrators. You will find the most useful settings under user
>> configuration/administrative templates in the various categories. Be sure
> to
>> read full explanation of settings before enabling. Settings for "context
>> menu" will disable right click at various places in the operating system.
> An
>> administrator could still access Group Policy from another computer on
>> the
>> network to manage Group Policy if he locked himself out by using the mmc
>> snapin for Group Policy on the remote computer and browsing to the locked
>> down computer. The admin would want to logon to the remote computer with
> an
>> account that has admin powers on the locked down computer.
>>
>> You could configure Internet Explorer so that the internet Web Content
> Zone
>> [ tools/internet options/security/custom] will not allow downloads and
> that
>> will prevent downloads through Internet Explorer. As far as printing you
>> could go to printers and faxes, select file/server properties and enable
> log
>> spooler information events in the advanced tab. The part about
>> restricting
>> internet access and monitoring access is best done at your firewall which
>> may or may not have the abilities you need. Microsoft ISA 2004 can
> certainly
>> do such but is not cheap - around $1500 installed on a server operating
>> system. You could try using IE Content Advisor to restrict where users
>> can
>> go which may or may not work well depending on the amount of sites you
> want
>> to allow access to and the type of sites as many sites are a bunch of
> links
>> to other sites. Another option may be to use an internet monitoring
> software
>> package such as Net Nanny or Cyber Patrol. Many of them have free trial
>> downloads. If the budget allows many lower priced firewalls offer a
>> subscription content service where you pay a small monthly fee and the
>> service will help prevent users from accessing websites which you deem
>> inappropriate. Such an investment most likely would prove well worth
> while.
>> The links below may help. --- Steve
>>
>> http://www.netnanny.com/
>> http://www.cyberpatrol.com/internet_monitor.aspx
>> http://www.sonicwall.com/products/tz170.html
>>
>> "Anguel Iordanov" <adiaxissm@hotmail.com> wrote in message
>> news:eohb6ChJFHA.1392@TK2MSFTNGP10.phx.gbl...
>> > Hi everyone,
>> >
>> >
>> >
>> > I am faced with the following challenge and would really appreciate if
> you
>> > could help or point me in the right direction.
>> >
>> >
>> >
>> > We have two computer running Win 2000 Pro.
>> >
>> > We would like to give a public access to this computer so anyone coming
> in
>> > can use them.
>> >
>> >
>> >
>> > My challenge is to:
>> >
>> > 1 Create an account on each computer with the following
>> > restrictions:
>> >
>> > - Users cannot change any settings on the computer.
>> >
>> > - Users cannot right click.
>> >
>> > - Users cannot download files from the Internet
>> >
>> > - Users cannot create files or folders
>> >
>> > - Users can only access sites approved by us
>> >
>> > 2 Does any of you know of a cheap software, which will allow us:
>> >
>> > - How long people have been on the Internet
>> >
>> > - Have the printed anything
>> >
>> >
>> >
>> > Thanks a lot in advance.
>> >
>> >
>> >
>> > Anguel
>> >
>> >
>> >
>>
>>
>
>
!