Re: Local Group Restricted to Internet Explorer Browser only

From: Steven L Umbach (n9rou@attbi.com)
Date: 04/06/03 

From: "Steven L Umbach" <n9rou@attbi.com>
Date: Sat, 05 Apr 2003 23:23:26 GMT

          Hi Mark. This is ideally done on domain member computers using a
combination of group policy, group membership, and ntfs permissions. Ntfs
permissions by themselves can control access fairly well to installed
applications and data that reside in root or program files folder. However
access to desktop items, explorer, run, programs, search, etc is best
controlled via group policy or registry settings as many of these items
reside in winnt folder of which is well best left alone as far as ntfs
permissions go, though individual file permissions can be implemented..
Problem is on a stand alone computer most of those type changes would
restrict you even as administrator. However if the persons you want to give
access to are fairly trusted I can give you some things to try. Try to do a
backup first and document changes so they can be easily reversed. I would
suggest using the guest account but rename it and give it a password. I
believe the guest account does not retain changes to the profile. First on
the root/drive folder remove the everyone group from ntfs permissions, add
administrators full control, and add authenticated users allow for
read/execute/list (three boxes).Next on the root/drive folder add the guest
(or whatever you name it) account to the ntfs security permissions and check
full control/deny. Do the same for the program files folder. If you are
using default ntfs permissions, the changes should propagate accordingly. Do
NOT change the Winnt folder. Now go back to the program files folder and for
the Internet Explorer folder add the guest to security permissions for
read/execute/list for allow. The deny permissions should be checked, but
greyed out - that is OK because explicit allow will override inherited deny.
Look for any other programs you may want to have allow permissions for guest
such as virus protection or firewall and do same changes to those folders.
For any applications or data that you want to make sure the guest can not
access, double check that the deny permissions have been propoagated to
them. As far as items in winnt folder that control desktop, etc try this. Do
a search for *.msc (management console) and *.cpl (control panel) files.
Change ntfs permissions on all those that you find to full control/deny for
guest account. Do the same for cmd.exe and and mmc.* files. Keep in mind
that service packs or security updates may override the permissions back to
default for some/all of those files. After doing changes log on as guest and
see if access is restricted enough for your needs. You could implement group
policy on your computer using gpedit.msc, but you would need to do some
hacking to keep it from applying to you and be very careful not to lock
yourself out. I tried the hack myself once and all I can say is that it
works as long as you do NOT go back and make any changes after implementing
it - I did make post hack changes once and then ALL group policy
restrictions applied to administrator account. Good luck. --- Steve

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q293655&
"Mark Bassett" <bassettma@hotmail.com> wrote in message
news:036601c2fa58$78e3b450$a101280a@phx.gbl...
> I have a W2k p.c. in my office that I want to restrict a
> user (Customer)to only use an Internet Explorer Browser.
> The hard drive has been formatted in NTFS; so therefore I
> should be able to secure all files. How do I give this
> user only this capability. I, as the administrator, would
> still be able to have full control of this p.c. when I log
> in. Can someone help me in this application? I am not
> for sure how I can go about performing this. I would
> appreciate anyone who could help with this.
>
> Have a good day!
>
> Thanks,
> Mark

Relevant Pages