Re: Internet Kiosk Group Policy

Hi,

D.P. Roberts schrieb:
*In System, enable "Run only allowed Windows applications" and set it to
only run IE.
Thats no solution, [...]
Sorry but this IS a viable solution and we've been using it in production
for over a year. If your policy is strong enough such that users cannot get
to or rename files, this works just fine (see comments below). :-o

It´s still not, because you have to grant the user at least "change" in
their %temp%. Copy a *.exe to %temp%, rename it ...

Just as an example, hide and deny the local drives and then type
in "C:\" in an Office 2000 dialog ... just wait what happens ;-)
Not true, at least in Office 2003. [...]

Thats why I took O2K as an example. Nodrives and NoViewonDrives are
only taking efect on the explorer API.

I´m using myself this option, but I wanted to show the problem with it.
It´s an endless discussion about what´s secure and what is not.
Hiding drives in explorer is IMO not, it´s only a small piece of the
whole set. The problem with some settings is, that they are only an
restriction on the explorer.exe or e.g. cmd.exe all other ways are still
open.

Some further examples:
- Deactivating connect/delete a Network connection is only a setting
thats working with the explorer and its only in the GUI
-> net use still works
- Deactivating CMD: command.com still works and so "net.exe" can be used
it´s 8.3 but "~" exists ;-)

If you've got users who can 'achieve' local admin rights you've got even
bigger problems. When configured correctly in a properly-secured domain
envirnoment, users will not be able to 'get around' this.

Just a little Worst Case:
.... boot from floppy/cd/usb, overwrite the local admin password,
log in, "net localgroup administrators yourdomainuser /add",
regedit/regedt32 open ntuser.dat from your user, delete all \policies
hive, deactivate winlogon service ...

Sure, I can create always a scenario, where I can become a local Admin,
the question is only, how long does it take me.
My prior posting just was intend to be some kind of a "wakeup call".

Policies are a good way to secure your network, but the disadvantage is:
- the restricted settings work only under secific conditions and
only with a specific application
- it´s a question of "How inventive are my users"

Like I said before: It´s an endless discussion.

Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
W2K FAQ : http://w2k-faq.ebend.de
PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.
.

Relevant Pages

  • Re: Arrange files by date? Word keeps resetting to alphabetical.
    ... I looked for Acrobat 7, but don't seem to have that version, so that's not ... I've done the "set view" in Explorer. ... > view in all other folders Like Current Folder. ... > folder's View settings," which seems to work in Explorer but doesn't affect ...
    (microsoft.public.word.docmanagement)
  • Re: SysPrep HELL! Sysprep wipes changes.
    ... as local admin, then copy the local admin profile RATHER THAN ... "When you run the Sysprep utility, some user settings ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: Windows Update fails after registry blowup
    ... Bring up Windows Explorer / Tools / Folder Options/ select VIEW Tab and look at all of settings listed. ... Following is only a basic first-pass checklist of settings for Internet Explorer browser, tailored for smoother entry into Windows Update. ...
    (microsoft.public.windowsupdate)
  • Re: Wont remember Explorer window size...
    ... First make sure the policy was not set by the Group Policy ... If it exists and is set to '1', changes to folder view settings will not be saved. ... Microsoft MVP [Windows XP Shell/User] ... Won't remember Explorer window size ...
    (microsoft.public.windowsxp.general)
  • Re: mht file not found problem
    ... Start your file explorer ... On the Tools menu select the Folder Options/File Types tab. ... That should fix up the Opening of MHT files 4 u. ... make sure of the settings for hidden files and folders. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)