Re: Setting up new users

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 03/12/05

  • Next message: Dugie: "Re: RPC service, how to make sure it's up to date"
    Date: Fri, 11 Mar 2005 22:29:24 -0600
    
    

    Your best bet would to be to use Windows XP Pro which can use Software
    Restriction Policies for such computers. However for Windows 2000 what you
    could do is to let the users logon as the guest account. You can give the
    guest account a password if you want and configure the account so that the
    password can not be changed. Enabling the guest account however will allow
    any user network access to the computer that has the everyone group
    configured in permissions for a share folder so keep that in mind. If you
    want to use a regular user account you would want to modify permissions to
    that users profile to be only read/list/execute. A local administrator would
    need to take ownership of that folder first to do such.

    The guest account will use a profile that will be deleted when the user logs
    off. Make sire that the root/drive folder has no more than read/list
    permissions for the everyone group. Also make sure that the guest account
    has deny permissions to the \documents and settings\all users\shared
    documents folder. You can use ntfs permissions to prevent the guest account
    from running applications you do not want them to access such as folders in
    the program files folder.

    Use Group Policy to restrict the users further. Local Group Policy is
    invoked with the gpedit.msc command but keep in mind that by default local
    Group Policy applies to ALL users that logon to a computer - even
    administrators. You will find the most useful settings under user
    configuration/administrative templates in the various categories. Be sure to
    read full explanation of settings before enabling. Settings for "context
    menu" will disable right click at various places in the operating system. An
    administrator could still access Group Policy from another computer on the
    network to manage Group Policy if he locked himself out by using the mmc
    snapin for Group Policy on the remote computer and browsing to the locked
    down computer. The admin would want to logon to the remote computer with an
    account that has admin powers on the locked down computer.

    You could configure Internet Explorer so that the internet Web Content Zone
    [ tools/internet options/security/custom] will not allow downloads and that
    will prevent downloads through Internet Explorer. As far as printing you
    could go to printers and faxes, select file/server properties and enable log
    spooler information events in the advanced tab. The part about restricting
    internet access and monitoring access is best done at your firewall which
    may or may not have the abilities you need. Microsoft ISA 2004 can certainly
    do such but is not cheap - around $1500 installed on a server operating
    system. You could try using IE Content Advisor to restrict where users can
    go which may or may not work well depending on the amount of sites you want
    to allow access to and the type of sites as many sites are a bunch of links
    to other sites. Another option may be to use an internet monitoring software
    package such as Net Nanny or Cyber Patrol. Many of them have free trial
    downloads. If the budget allows many lower priced firewalls offer a
    subscription content service where you pay a small monthly fee and the
    service will help prevent users from accessing websites which you deem
    inappropriate. Such an investment most likely would prove well worth while.
    The links below may help. --- Steve

    http://www.netnanny.com/
    http://www.cyberpatrol.com/internet_monitor.aspx
    http://www.sonicwall.com/products/tz170.html

    "Anguel Iordanov" <adiaxissm@hotmail.com> wrote in message
    news:eohb6ChJFHA.1392@TK2MSFTNGP10.phx.gbl...
    > Hi everyone,
    >
    >
    >
    > I am faced with the following challenge and would really appreciate if you
    > could help or point me in the right direction.
    >
    >
    >
    > We have two computer running Win 2000 Pro.
    >
    > We would like to give a public access to this computer so anyone coming in
    > can use them.
    >
    >
    >
    > My challenge is to:
    >
    > 1 Create an account on each computer with the following
    > restrictions:
    >
    > - Users cannot change any settings on the computer.
    >
    > - Users cannot right click.
    >
    > - Users cannot download files from the Internet
    >
    > - Users cannot create files or folders
    >
    > - Users can only access sites approved by us
    >
    > 2 Does any of you know of a cheap software, which will allow us:
    >
    > - How long people have been on the Internet
    >
    > - Have the printed anything
    >
    >
    >
    > Thanks a lot in advance.
    >
    >
    >
    > Anguel
    >
    >
    >


  • Next message: Dugie: "Re: RPC service, how to make sure it's up to date"

    Relevant Pages

    • Re: Setting up new users
      ... > could do is to let the users logon as the guest account. ... > configured in permissions for a share folder so keep that in mind. ... > Use Group Policy to restrict the users further. ... > You could configure Internet Explorer so that the internet Web Content ...
      (microsoft.public.win2000.security)
    • Re: Setting up new users
      ... >> could do is to let the users logon as the guest account. ... >> configured in permissions for a share folder so keep that in mind. ... >> Use Group Policy to restrict the users further. ... >> You could configure Internet Explorer so that the internet Web Content ...
      (microsoft.public.win2000.security)
    • help
      ... I want help on windows 2000 server. ... I have made a folder on desktop, so I want to restrict a ... user to not delete this folder. ... Kindly give information on group policy. ...
      (microsoft.public.win2000.security)
    • Re: Read only account
      ... You can restrict a user account so that is only has read/list/execute ... services/client&server data redirection] to restrict redirection of ... to save their password for their TS client connection via Group Policy. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Disable regedit/registry
      ... executables so that regular users do not have execute permissions. ... There is also a setting in Group Policy user ... configuration/administrative templates/system to disable registry editing. ... However by default that will restrict all users on the local machine from ...
      (microsoft.public.windowsxp.security_admin)