Re: Internet Kiosk Group Policy


"Mark Heitbrink [MVP]" <spam-only@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ONK4I52UGHA.2704@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

D.P. Roberts schrieb:
Another alternative would be using a combination of gp settings to reach
your desired kiosk environment. Here are some examples (these are all
located in user Administrative Templates):

*In System, enable "Run only allowed Windows applications" and set it to
only run IE.

Thats no solution, because renaming any file you want to iexplore.exe
will work. This Black-/Whitelisting via registry entry is absolutly
senseless, because renaming will work. So just take care of it, if
you work with this setting.

Sorry but this IS a viable solution and we've been using it in production
for over a year. If your policy is strong enough such that users cannot get
to or rename files, this works just fine (see comments below). :-o


SRP - Software Restriction Policy is the better way to handle it.
But working with Blacklisting in SRP is senseless aswell, because
you can only deny known applications, but what about the millions
you don´t know?

*In Desktop, enable "Hide and disable all items on the desktop"
*In Start Menu and Taskbar, enable as many "Remove..." settings as you
want

Good starting point.

*In Windows Components/Windows Explorer, enable "Hide these specified
drives..." and "Prevent access to drives..." and set it to Restrict all
drives.

Be aware, that this only effects applications, that are using the
open/close API from explorer.exe :-(
Just as an example, hide and deny the local drives and then type
in "C:\" in an Office 2000 dialog ... just wait what happens ;-)

Not true, at least in Office 2003. In Office 2003 (and most likely XP as
well), the open dialog does not allow you to type anything in the address
location. You are required to browse for the file, and because all drives
are restricted you can't get to anything.

If you want to restrict Internet access to only a select number of
websites,
you can create an IPsec filter that blocks all IP traffic, only
permitting
access to the websites you specify. This is a Computer Config setting
located in Windows Settings/Security Settings/IP Security Policies on AD.

I would prefer a proxy, that will handle it, because of centralized
management and no chance, to get around it, even if the User can
achieve local Administrator rights.
e.g. Squid + Squidguard + Dansguardian <veg>

If you've got users who can 'achieve' local admin rights you've got even
bigger problems. When configured correctly in a properly-secured domain
envirnoment, users will not be able to 'get around' this.

There are Best Practise Scenarios available from Miscrosoft, so just
take a look inside. They are only examples and you have to edit them
to fit your environment, but they are a good point to start.

Good advice. These examples provide plenty of useful ways to get started.


Group Policy Common Scenarios Using GPMC
http://www.microsoft.com/downloads/details.aspx?familyid=354B9F45-8AA6-4775-9208-C681A7043292&displaylang=en

Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
W2K FAQ : http://w2k-faq.ebend.de
PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.


.

Relevant Pages

  • Re: How to increase hard drive space.
    ... There are a few commercial applications that may be able to help you resize ... You should periodically defragment your hard drives as well as check them ... using Windows XP "prettifications". ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Honestly Curious
    ... On Windows, I agree, this is a PITA--but not so on other systems that don't implement OS X-style application containers. ... It also makes abstractions more difficult to implement, and introduces the potential to break scripts and applications that call on other applications. ... Since I use quicksilver as an application launcher, along with a very few "always used" apps on the dock, it makes no difference to user functionality where the apps reside, but it does help organize data together on the storage media. ... case though, there is nothing that should dictate that all applications land on the boot drive, unless the other drives are removable. ...
    (comp.sys.mac.advocacy)
  • Re: Partitioning hard drives for audio use?
    ... The most significant feature of an installation like this is that you can reformat the OS partition and do a "clean install" without having to re-install all of your applications. ... That was valid under Windows up through 3.1 where Windows was a shell running on top of DOS, and you have a reasonable amount of control over where programs put things when they were installed. ... There was some justification for putting programs and data on separate drives when there wasn't enough memory in the computer for the program to load, and it needed to swap portions out on disk, which took time away from the constant streaming disk access that audio and video requires. ...
    (rec.audio.pro)
  • Re: Internet Kiosk Group Policy
    ... your desired kiosk environment. ... enable "Run only allowed Windows applications" and set it to ... located in Windows Settings/Security Settings/IP Security Policies on AD. ... Group Policy Common Scenarios Using GPMC ...
    (microsoft.public.windows.group_policy)
  • Re: disk space running out?
    ... > my applications and document holding area. ... written to the Windows directory itself.. ... system restore. ... You should periodically defragment your hard drives as well as check them ...
    (microsoft.public.windowsxp.newusers)
Loading