GPO question

[Peter]

I'm administrator in a school and the AD GPOs give me a fair bit of
ability to control what the students can see, and wreck.

I have blocked access to basically everything except what they need
for school-related work. This includes restrictions on access to the
local C: drive, browsing the network neighborhood, run command etc.

I spend a bit of time trying to second-guess what they'll be up to
next and have discovered that if you make up a simple web page that
contains a link to a network share, you can bypass the GPO security
and browse the network neighborhood. Not a great problem, but there
may possibly be an unprotected folder out there that I've
overlooked...

Can anyone suggest how I can stop users from browsing the network
shares from a web page? GPO setting? Registry setting?

We are using Win2K servers and XP workstations, mostly SP1 but testing
some in the field with SP2.

Thanks

 

[Roger Abell]

It is extremely hard to actually lock a machine down and
still allow it to be usable for general computing needs.
You may find something in the IE adm template that you
can use for the browsing you mention of network shares,
but I am no IE setting expert so you would need to ask in
an inetexplorer newsgroup on ways to cripple that specific
type of content, if possible (which I doubt).

As you explore more you will likely find other things they
can do that you did not expect. One common thing is other
applications that out-wit you by allowing users to get a cmd
shell from within them, etc..

If these machines do not need browsing of the network, or
to be browsed from it, you might consider just shutting down
the Server, Workstation, and Browser services.