Tuesday, June 23, 2009

Public PC Restrictions - Part Two

So this is really part 2 of what I had described in an earlier blog. You should read the first part or this won’t really make much sense. It's called "Public PC Restrictions without Steady State".

OK, well there is one thing you do NOT do, and that is to enable the restriction called "Prevent access to Microsoft Management Console utilities". Remember that the Administrator account is what you use to make changes to your policies with the Group Policy Editor. The Exec account can’t make those changes because it does not have read access to the “User” folder that has the policy. The Group Policy Editor is one of the Microsoft Management Console utilities, so if you enable that restriction, you can no longer change your restrictions. This would be an unfortunate series of events indeed.

I list the policies I have used on a set of PCs running XP in a Workgroup and that have Deep Freeze installed on them. This list is just what I am using and in no way means it is just right for you. But you might usefully use this as a good starting point. I consider these restrictions to be mild to medium. Good luck and please let me know if you found this useful or not. Thanks.
This is the list of enabled policies.


General Settings
Set Internet Homepage (to whatever)
Prevent Access to Drives from My Computer - Restrict C drive only


Start Menu Restrictions
Allow only the Classic Start menu
Remove the Control Panel, Printer and Network Settings from the Classic Start menu
Remove the My Documents icon
Remove the My Recent Documents icon
Remove the My Pictures icon
Remove the My Music icon
Remove the My Network Places icon
Remove the Control Panel icon
Remove the Set Program Access and Defaults icon
Remove the Network Connections (Connect To) icon
Remove the Printers and Faxes icon
Remove the Run icon
Remove the Frequently Used Programs list

General Windows Restrictions (In this section DO !NOT! prevent access to the MMC)
Prevent right-click in Windows Explorer
Prevent Autoplay on CD, DVD, and USB drives
Prevent users from saving files to the desktop
Prevent access to Windows Explorer features: Folder Options, Customize Toolbar, and the notification Area
Prevent access to the command prompt
Prevent access to the registry editor
Prevent access to Task Manager
Prevent users from adding or removing printers
Prevent users from locking the computer
Prevent password changes (also requires the Control Panel icon to be removed)

Internet Explorer restrictions
Disable Autocomplete
Empty the Temporary Internet Files folder when Internet Explorer is closed
Prevent access to some Internet Explorer menu choices
Security Tab
Programs Tab
Privacy Tab
Advanced Tab
Connections Tab

Microsoft Office restrictions
Disable Add-Ins (both check boxes)

Additional Start Menu Restrictions
Prevent programs in the All Users folder from appearing

Additional General Windows Restrictions
Remove the Shared documents folder from My Computer

Additional Internet Explorer Restrictions
None