Re: One App Machine
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 09/13/04
- Previous message: Mark Renoden [MSFT]: "Re: Total Lockdown Part 2"
- In reply to: Thomas Fisher: "One App Machine"
- Next in thread: Thomas Fisher: "Re: One App Machine"
- Reply: Thomas Fisher: "Re: One App Machine"
- Reply: Thomas Fisher: "Re: One App Machine"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 13 Sep 2004 06:14:25 GMT
In XP Pro you can use Software Restriction Polices to manage what a user can run or
install on the computer. SRP is available in Local Security Policy [secpol.msc] under
security settings. You can set the default rule to "disallowed" and then add a hash
rule for the executable or a path rule to the folder for the authorized executable.
Note that the user may still be able to run executables in the system folder with
default disallowed unless you add rules to disallow them. You may want to create
specific disallowed hash rules for regedit, regedt32, command.com, cmd.exe, mmc.exe,
secedit.exe, and such. In the enforcement setting you can exempt local administrators
from the SRP. The link below explains in much more detail.
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
You can also use Group Policy [ gpedit.msc] to lock down a computer, however on a
local computer the policy will apply to all users, even administrators. You might be
able to remove task bar and a whole lot more. Go to user configuration/administrative
templates/start menu and taskbar or Windows Components/Windows Explorer to see a lot
of the options to lock down a user. Be sure to read the full explanation before
implementing a setting. As far as the desktop, you could logon as the user and remove
everything from the desktop except what you want. Then logoff and log back on as an
administrator and change the ntfs permissions in the user profile folder for the
desktop folder to be read/list/execute and make sure the user is not owner of that
folder. You may also have to remove items from the "all users" profile desktop folder
to keep them from appearing on your locked down users desktop. --- Steve
"Thomas Fisher" <thesequoyan [[[a]]] hotmail> wrote in message
news:TvOdnbZZDJJ7a9ncRVn-iw@adelphia.com...
> Hello,
>
> I'm a programmer with almost no experience with policy settings but is has
> fallen to me to figure out how to make the following policy settings:
>
> I need to a XP Pro machine with two accounts: Administrator and General
> User. The administrator has full priviliges and the General User account
> which when used has:
> - no task bar
> - no desktop icons other than the shortcut for the one program allowed
> to run on the machine
> - no access to any OS UI of any sort.
>
> Basically it needs to be a blank desktop with just one icon (the one for my
> app.) Anything the user tries to do other than run that app needs to be
> prohibited.
>
> How hard is this? It seems well within reach using policies but I'm not
> sure how to do it.
>
> Thanks in advance for any assistance.
>
> - Tom
>
>
- Previous message: Mark Renoden [MSFT]: "Re: Total Lockdown Part 2"
- In reply to: Thomas Fisher: "One App Machine"
- Next in thread: Thomas Fisher: "Re: One App Machine"
- Reply: Thomas Fisher: "Re: One App Machine"
- Reply: Thomas Fisher: "Re: One App Machine"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
