Setting up new users

Archived from groups: microsoft.public.win2000.security (More info?)

Hi everyone,


I am faced with the following challenge and would really appreciate if you
could help or point me in the right direction.


We have two computer running Win 2000 Pro.

We would like to give a public access to this computer so anyone coming in
can use them.


My challenge is to:

1 Create an account on each computer with the following restrictions:

- Users cannot change any settings on the computer.

- Users cannot right click.

- Users cannot download files from the Internet

- Users cannot create files or folders

- Users can only access sites approved by us

2 Does any of you know of a cheap software, which will allow us:

- How long people have been on the Internet

- Have the printed anything


Thanks a lot in advance.


Anguel
3 answers Last reply
More about setting users
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Your best bet would to be to use Windows XP Pro which can use Software
    Restriction Policies for such computers. However for Windows 2000 what you
    could do is to let the users logon as the guest account. You can give the
    guest account a password if you want and configure the account so that the
    password can not be changed. Enabling the guest account however will allow
    any user network access to the computer that has the everyone group
    configured in permissions for a share folder so keep that in mind. If you
    want to use a regular user account you would want to modify permissions to
    that users profile to be only read/list/execute. A local administrator would
    need to take ownership of that folder first to do such.

    The guest account will use a profile that will be deleted when the user logs
    off. Make sire that the root/drive folder has no more than read/list
    permissions for the everyone group. Also make sure that the guest account
    has deny permissions to the \documents and settings\all users\shared
    documents folder. You can use ntfs permissions to prevent the guest account
    from running applications you do not want them to access such as folders in
    the program files folder.

    Use Group Policy to restrict the users further. Local Group Policy is
    invoked with the gpedit.msc command but keep in mind that by default local
    Group Policy applies to ALL users that logon to a computer - even
    administrators. You will find the most useful settings under user
    configuration/administrative templates in the various categories. Be sure to
    read full explanation of settings before enabling. Settings for "context
    menu" will disable right click at various places in the operating system. An
    administrator could still access Group Policy from another computer on the
    network to manage Group Policy if he locked himself out by using the mmc
    snapin for Group Policy on the remote computer and browsing to the locked
    down computer. The admin would want to logon to the remote computer with an
    account that has admin powers on the locked down computer.

    You could configure Internet Explorer so that the internet Web Content Zone
    [ tools/internet options/security/custom] will not allow downloads and that
    will prevent downloads through Internet Explorer. As far as printing you
    could go to printers and faxes, select file/server properties and enable log
    spooler information events in the advanced tab. The part about restricting
    internet access and monitoring access is best done at your firewall which
    may or may not have the abilities you need. Microsoft ISA 2004 can certainly
    do such but is not cheap - around $1500 installed on a server operating
    system. You could try using IE Content Advisor to restrict where users can
    go which may or may not work well depending on the amount of sites you want
    to allow access to and the type of sites as many sites are a bunch of links
    to other sites. Another option may be to use an internet monitoring software
    package such as Net Nanny or Cyber Patrol. Many of them have free trial
    downloads. If the budget allows many lower priced firewalls offer a
    subscription content service where you pay a small monthly fee and the
    service will help prevent users from accessing websites which you deem
    inappropriate. Such an investment most likely would prove well worth while.
    The links below may help. --- Steve

    http://www.netnanny.com/
    http://www.cyberpatrol.com/internet_monitor.aspx
    http://www.sonicwall.com/products/tz170.html

    "Anguel Iordanov" <adiaxissm@hotmail.com> wrote in message
    news:eohb6ChJFHA.1392@TK2MSFTNGP10.phx.gbl...
    > Hi everyone,
    >
    >
    >
    > I am faced with the following challenge and would really appreciate if you
    > could help or point me in the right direction.
    >
    >
    >
    > We have two computer running Win 2000 Pro.
    >
    > We would like to give a public access to this computer so anyone coming in
    > can use them.
    >
    >
    >
    > My challenge is to:
    >
    > 1 Create an account on each computer with the following
    > restrictions:
    >
    > - Users cannot change any settings on the computer.
    >
    > - Users cannot right click.
    >
    > - Users cannot download files from the Internet
    >
    > - Users cannot create files or folders
    >
    > - Users can only access sites approved by us
    >
    > 2 Does any of you know of a cheap software, which will allow us:
    >
    > - How long people have been on the Internet
    >
    > - Have the printed anything
    >
    >
    >
    > Thanks a lot in advance.
    >
    >
    >
    > Anguel
    >
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Steve,

    Thank you very much for the reply. What you are saying makes sense, however

    I am not really sure how to do it. Is there a step by step guide? Or any

    articles I can read?

    Thanks a lot.

    Anguel


    "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    news:#R1$nvrJFHA.2648@TK2MSFTNGP14.phx.gbl...
    > Your best bet would to be to use Windows XP Pro which can use Software
    > Restriction Policies for such computers. However for Windows 2000 what you
    > could do is to let the users logon as the guest account. You can give the
    > guest account a password if you want and configure the account so that
    the
    > password can not be changed. Enabling the guest account however will allow
    > any user network access to the computer that has the everyone group
    > configured in permissions for a share folder so keep that in mind. If you
    > want to use a regular user account you would want to modify permissions to
    > that users profile to be only read/list/execute. A local administrator
    would
    > need to take ownership of that folder first to do such.
    >
    > The guest account will use a profile that will be deleted when the user
    logs
    > off. Make sire that the root/drive folder has no more than read/list
    > permissions for the everyone group. Also make sure that the guest account
    > has deny permissions to the \documents and settings\all users\shared
    > documents folder. You can use ntfs permissions to prevent the guest
    account
    > from running applications you do not want them to access such as folders
    in
    > the program files folder.
    >
    > Use Group Policy to restrict the users further. Local Group Policy is
    > invoked with the gpedit.msc command but keep in mind that by default local
    > Group Policy applies to ALL users that logon to a computer - even
    > administrators. You will find the most useful settings under user
    > configuration/administrative templates in the various categories. Be sure
    to
    > read full explanation of settings before enabling. Settings for "context
    > menu" will disable right click at various places in the operating system.
    An
    > administrator could still access Group Policy from another computer on the
    > network to manage Group Policy if he locked himself out by using the mmc
    > snapin for Group Policy on the remote computer and browsing to the locked
    > down computer. The admin would want to logon to the remote computer with
    an
    > account that has admin powers on the locked down computer.
    >
    > You could configure Internet Explorer so that the internet Web Content
    Zone
    > [ tools/internet options/security/custom] will not allow downloads and
    that
    > will prevent downloads through Internet Explorer. As far as printing you
    > could go to printers and faxes, select file/server properties and enable
    log
    > spooler information events in the advanced tab. The part about restricting
    > internet access and monitoring access is best done at your firewall which
    > may or may not have the abilities you need. Microsoft ISA 2004 can
    certainly
    > do such but is not cheap - around $1500 installed on a server operating
    > system. You could try using IE Content Advisor to restrict where users can
    > go which may or may not work well depending on the amount of sites you
    want
    > to allow access to and the type of sites as many sites are a bunch of
    links
    > to other sites. Another option may be to use an internet monitoring
    software
    > package such as Net Nanny or Cyber Patrol. Many of them have free trial
    > downloads. If the budget allows many lower priced firewalls offer a
    > subscription content service where you pay a small monthly fee and the
    > service will help prevent users from accessing websites which you deem
    > inappropriate. Such an investment most likely would prove well worth
    while.
    > The links below may help. --- Steve
    >
    > http://www.netnanny.com/
    > http://www.cyberpatrol.com/internet_monitor.aspx
    > http://www.sonicwall.com/products/tz170.html
    >
    > "Anguel Iordanov" <adiaxissm@hotmail.com> wrote in message
    > news:eohb6ChJFHA.1392@TK2MSFTNGP10.phx.gbl...
    > > Hi everyone,
    > >
    > >
    > >
    > > I am faced with the following challenge and would really appreciate if
    you
    > > could help or point me in the right direction.
    > >
    > >
    > >
    > > We have two computer running Win 2000 Pro.
    > >
    > > We would like to give a public access to this computer so anyone coming
    in
    > > can use them.
    > >
    > >
    > >
    > > My challenge is to:
    > >
    > > 1 Create an account on each computer with the following
    > > restrictions:
    > >
    > > - Users cannot change any settings on the computer.
    > >
    > > - Users cannot right click.
    > >
    > > - Users cannot download files from the Internet
    > >
    > > - Users cannot create files or folders
    > >
    > > - Users can only access sites approved by us
    > >
    > > 2 Does any of you know of a cheap software, which will allow us:
    > >
    > > - How long people have been on the Internet
    > >
    > > - Have the printed anything
    > >
    > >
    > >
    > > Thanks a lot in advance.
    > >
    > >
    > >
    > > Anguel
    > >
    > >
    > >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Here are a couple of links. The first is some software that claims it can do
    much of what you want and the last link is to the Windows 2003 Deployment
    Kit which contains some excellent documentation of using a managed
    environment. --- Steve

    http://www.sharewareconnection.com/advanced-internet-kiosk.htm

    http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dpgDME_overview.asp

    "Anguel Iordanov" <adiaxissm@hotmail.com> wrote in message
    news:uQ9XAyNKFHA.3132@TK2MSFTNGP12.phx.gbl...
    > Hi Steve,
    >
    > Thank you very much for the reply. What you are saying makes sense,
    > however
    >
    > I am not really sure how to do it. Is there a step by step guide? Or any
    >
    > articles I can read?
    >
    > Thanks a lot.
    >
    > Anguel
    >
    >
    >
    >
    > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    > news:#R1$nvrJFHA.2648@TK2MSFTNGP14.phx.gbl...
    >> Your best bet would to be to use Windows XP Pro which can use Software
    >> Restriction Policies for such computers. However for Windows 2000 what
    >> you
    >> could do is to let the users logon as the guest account. You can give the
    >> guest account a password if you want and configure the account so that
    > the
    >> password can not be changed. Enabling the guest account however will
    >> allow
    >> any user network access to the computer that has the everyone group
    >> configured in permissions for a share folder so keep that in mind. If you
    >> want to use a regular user account you would want to modify permissions
    >> to
    >> that users profile to be only read/list/execute. A local administrator
    > would
    >> need to take ownership of that folder first to do such.
    >>
    >> The guest account will use a profile that will be deleted when the user
    > logs
    >> off. Make sire that the root/drive folder has no more than read/list
    >> permissions for the everyone group. Also make sure that the guest account
    >> has deny permissions to the \documents and settings\all users\shared
    >> documents folder. You can use ntfs permissions to prevent the guest
    > account
    >> from running applications you do not want them to access such as folders
    > in
    >> the program files folder.
    >>
    >> Use Group Policy to restrict the users further. Local Group Policy is
    >> invoked with the gpedit.msc command but keep in mind that by default
    >> local
    >> Group Policy applies to ALL users that logon to a computer - even
    >> administrators. You will find the most useful settings under user
    >> configuration/administrative templates in the various categories. Be sure
    > to
    >> read full explanation of settings before enabling. Settings for "context
    >> menu" will disable right click at various places in the operating system.
    > An
    >> administrator could still access Group Policy from another computer on
    >> the
    >> network to manage Group Policy if he locked himself out by using the mmc
    >> snapin for Group Policy on the remote computer and browsing to the locked
    >> down computer. The admin would want to logon to the remote computer with
    > an
    >> account that has admin powers on the locked down computer.
    >>
    >> You could configure Internet Explorer so that the internet Web Content
    > Zone
    >> [ tools/internet options/security/custom] will not allow downloads and
    > that
    >> will prevent downloads through Internet Explorer. As far as printing you
    >> could go to printers and faxes, select file/server properties and enable
    > log
    >> spooler information events in the advanced tab. The part about
    >> restricting
    >> internet access and monitoring access is best done at your firewall which
    >> may or may not have the abilities you need. Microsoft ISA 2004 can
    > certainly
    >> do such but is not cheap - around $1500 installed on a server operating
    >> system. You could try using IE Content Advisor to restrict where users
    >> can
    >> go which may or may not work well depending on the amount of sites you
    > want
    >> to allow access to and the type of sites as many sites are a bunch of
    > links
    >> to other sites. Another option may be to use an internet monitoring
    > software
    >> package such as Net Nanny or Cyber Patrol. Many of them have free trial
    >> downloads. If the budget allows many lower priced firewalls offer a
    >> subscription content service where you pay a small monthly fee and the
    >> service will help prevent users from accessing websites which you deem
    >> inappropriate. Such an investment most likely would prove well worth
    > while.
    >> The links below may help. --- Steve
    >>
    >> http://www.netnanny.com/
    >> http://www.cyberpatrol.com/internet_monitor.aspx
    >> http://www.sonicwall.com/products/tz170.html
    >>
    >> "Anguel Iordanov" <adiaxissm@hotmail.com> wrote in message
    >> news:eohb6ChJFHA.1392@TK2MSFTNGP10.phx.gbl...
    >> > Hi everyone,
    >> >
    >> >
    >> >
    >> > I am faced with the following challenge and would really appreciate if
    > you
    >> > could help or point me in the right direction.
    >> >
    >> >
    >> >
    >> > We have two computer running Win 2000 Pro.
    >> >
    >> > We would like to give a public access to this computer so anyone coming
    > in
    >> > can use them.
    >> >
    >> >
    >> >
    >> > My challenge is to:
    >> >
    >> > 1 Create an account on each computer with the following
    >> > restrictions:
    >> >
    >> > - Users cannot change any settings on the computer.
    >> >
    >> > - Users cannot right click.
    >> >
    >> > - Users cannot download files from the Internet
    >> >
    >> > - Users cannot create files or folders
    >> >
    >> > - Users can only access sites approved by us
    >> >
    >> > 2 Does any of you know of a cheap software, which will allow us:
    >> >
    >> > - How long people have been on the Internet
    >> >
    >> > - Have the printed anything
    >> >
    >> >
    >> >
    >> > Thanks a lot in advance.
    >> >
    >> >
    >> >
    >> > Anguel
    >> >
    >> >
    >> >
    >>
    >>
    >
    >
Ask a new question

Read More

Security Computers Microsoft Windows