Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

Easiest way to "lock down" W2K Pro?

Old 05-06-04, 01:45 PM
  #1  
DVD Talk Platinum Edition
Thread Starter
 
Join Date: Apr 2000
Location: Maumee, OH, USA
Posts: 3,269
Easiest way to "lock down" W2K Pro?

I have a Windows 2000 Professsional workstation that I want to severely restrict access to. Basically it should be able to run Internet Explorer and Adobe Acrobat Reader, and that's about it. I'd also like to set the default home page and a few favorites, then not allow any of those settings to be changed (along with wallpaper, desktop icons, etc).

What's the easiest way to do this? I don't have a domain, and it's not setup to connect to the Novell network. It's going to be in a public area, so I want to restrict user access as much as possible.

I've done this through Novell Zenworks before, but I don't have Zenworks installed here yet.
bralph is offline  
Old 05-06-04, 03:55 PM
  #2  
Senior Member
 
Join Date: Mar 2003
Posts: 446
try installing any apps that you need on the machine as an Admin, and set them to run with "this user only"

then make a guest or user account and test it out.

i've never tried setting up a windows machine that would disallow a user to install an app, though i have seen it done.

If it any more complicated than that, then it's beyond me. (though it seems like it should be that cut and dry)
squi23 is offline  
Old 05-06-04, 05:12 PM
  #3  
DVD Talk God
 
twikoff's Avatar
 
Join Date: Feb 2000
Location: Right Behind You!!!
Posts: 79,497
group policy editor

start..run.. mmc
file.. add/remove snap in
add.. then scroll down to group policy
add..finish.. close
highlight the new local computer policy icon and hit ok
now explain the local computer policy and you will see computer configuration and user configuration.. many many many options in here to play with to lock it down.

if you have multiple user accounts on the computer, you can go to the ini file that is created after you save these policies (i think its gpc.ini in winnt/system32) and change the permissions to that specific file so that your the only one that has access to it.. then the group policy editor would be worthless to anyone but you

if there is only one user.. and you are worried that someone will find the group policy editor.. you can set permissions on that ini file to deny access to your account.. then the group policy editor still wont do any good until you go back to that file and give yourself access again (which you can always do as long as your a local admin)
twikoff is offline  
Old 05-07-04, 09:25 AM
  #4  
DVD Talk Platinum Edition
Thread Starter
 
Join Date: Apr 2000
Location: Maumee, OH, USA
Posts: 3,269
Thanks Twikoff, that seemed to work but I still have one more question. I don't see where I specify that the policy should apply only to the user account, and not to the local admin account. In the Help, I saw something about an Access Control Entry, but I didn't fully understand what it was telling me to do.
bralph is offline  
Old 05-07-04, 09:48 AM
  #5  
DVD Talk Legend
 
Join Date: Oct 1999
Location: |-|@><0r [email protected]|)
Posts: 17,214
Uh... you'd better be aware that Internet Explorer doubles as Windows Explorer. If your users can open IE with an address bar, they can reach all of the files on your drive. Try entering this into the address bar of your browser:

file://C:/

Yes, that is your hard drive.

I have a strong hunch that there are ways to change this for scenarios like yours, but I have no idea what they are.

- David Stein

Last edited by sfsdfd; 05-07-04 at 09:52 AM.
sfsdfd is offline  
Old 05-07-04, 12:29 PM
  #6  
DVD Talk Platinum Edition
Thread Starter
 
Join Date: Apr 2000
Location: Maumee, OH, USA
Posts: 3,269
If I'm reading this correctly, then policies apply to all users regardless of groups or rights.

http://support.microsoft.com/default...roduct=win2000

SYMPTOMS
You cannot configure Group Policy Objects (GPOs) to process different policies for different local users based on group membership. This is possible using only Active Directory Group Policy Objects.

CAUSE
Multiple local group policy objects are not supported in Microsoft Windows 2000.

RESOLUTION
To work around this behavior, implement Microsoft Windows NT 4.0 style policies using the Policy Editor tool. For more information, please see the following article in the Microsoft Knowledge Base:

185589 Guide To Windows NT 4.0 Profiles and Policies (Part 4 of 6)

STATUS
Microsoft has confirmed this to be a limitation in Microsoft Windows 2000. The ability to have multiple local group policy objects and have Access Control List (ACL) filtering for local group policy objects is being considered for inclusion in the next version of Microsoft Windows.
bralph is offline  
Old 05-07-04, 01:07 PM
  #7  
DVD Talk God
 
twikoff's Avatar
 
Join Date: Feb 2000
Location: Right Behind You!!!
Posts: 79,497
yep
group policies will apply to all users..

set it the way you want.. then lock it down.. so noone can change it
and only you will know how to unlock the policies if you want to make changes
twikoff is offline  
Old 05-07-04, 01:43 PM
  #8  
DVD Talk Platinum Edition
Thread Starter
 
Join Date: Apr 2000
Location: Maumee, OH, USA
Posts: 3,269
Originally posted by twikoff
yep
group policies will apply to all users..

set it the way you want.. then lock it down.. so noone can change it
and only you will know how to unlock the policies if you want to make changes
Or not.... Use "allow only selected applications to run" with extreme care... I locked myself out of MMC
bralph is offline  

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread

Archive Advertising Cookie Policy Privacy Statement Terms of Service

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.