You can block access to the computer itself for browsing by using user
configuration/administrative templates/Windows Components/Windows Explorer
settings and administrative templates/desktop settings. To allow only IE to
run you can go to user configuration/administrative templates/system and use
the run only allowed Windows Applications to include only iexplore.exe. I
would also disable the command prompt and registry editing while there.
Configure the internet Web Content Zone to not allow downloads. Also
configure ntfs permissions on the root/drive folder to be no more than
read/list/execute for everyone and users. Keep in mind that on a non domain
computer these restrictions will also apply to the administrators, however
you could manage Group policy remotely remotely via another computer on the
network while logged on as a user with adminstrator credentials to that
computer. If you enable the guest account for users to use as the access
account, any changes they make will not be saved and they will have nowhere
do save files to on the computer [they will also be deleted at logoff].
Enabling the guest account is a security hole for network access, so if you
use it configure the user right assignment for access this computer from the
network to not include everyone/users but probably just administraors and
add guest to the deny access to this computer from the network. Also see the
link below on kiosk mode. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;154780
kidem said:
Can group policy lock everything down to where only IE can browse the
Internet, rather than use other software?
