I have recently been assigned the task of maintaining a few computers for use by the public. I work at a hotel, so they are open to all guests as well as their kids. Their primary purpose is to check email, print airline tickets, ect... Of course then we have these little ************* who download games, porn, and inadvertently- infect it with more than 100 spyware infections weekly.
You all know the trick where you download a "porn video" and then it says you have to download a "special codec" for it to play; or, you download a game, and then it says "your computer is infected, click here to scan for free", and in turn the "scanner" turns out to be the spyware- well, this happens constantly, and whereas I like getting a few extra hours here and there, I don't like being called on my day off because the machine is totally fubar.
I am looking for a way to restrict users from installing software, and especially software that installs randomly named *.dll files in the system32 folder, and then attaches those dlls to explorer.exe or some other system process(s). When I run spybot, or when I try to delete the offending .dll files manually, the hijacked processes immediately re-spawn the deleted file(s). I don't know exactly what this type of spyware is called, but it is a serious pain in the a**. Especially since the randomly generated filenames prevent searching online for a match. (What happened to the good old days where spyware was a single .exe file? )
I have tried setting the user's permissions for system32 to nothing, save the SYSTEM user, but that just prevented the user from logging on. I have also thoroughly been through gpedit.msc's options, but nothing I have found does the trick. I also require that the user be an administrator, since the monitoring software I use seems only to work with admin privelages.
Does anyone have any ideas? Is there any way to limit access to the Windows folder (and subfolders) and the Program Files folder so that the system can have access, but the user cannot (except for saving documents, pictures, ect... (not absolutely necessary, BTW))
How do I set the guest permissions? Are you referring to the gpedit.msc settings, and if so, how do I set them for only one account so it wont affect my account? I should have mentioned that I have very little experience setting up non-administrator machines...