One App Machine

  • Thread starter Thread starter Thomas Fisher
  • Start date Start date
T

Thomas Fisher

Hello,

I'm a programmer with almost no experience with policy settings but is has
fallen to me to figure out how to make the following policy settings:

I need to a XP Pro machine with two accounts: Administrator and General
User. The administrator has full priviliges and the General User account
which when used has:
- no task bar
- no desktop icons other than the shortcut for the one program allowed
to run on the machine
- no access to any OS UI of any sort.

Basically it needs to be a blank desktop with just one icon (the one for my
app.) Anything the user tries to do other than run that app needs to be
prohibited.

How hard is this? It seems well within reach using policies but I'm not
sure how to do it.

Thanks in advance for any assistance.

- Tom
 
In XP Pro you can use Software Restriction Polices to manage what a user can run or
install on the computer. SRP is available in Local Security Policy [secpol.msc] under
security settings. You can set the default rule to "disallowed" and then add a hash
rule for the executable or a path rule to the folder for the authorized executable.
Note that the user may still be able to run executables in the system folder with
default disallowed unless you add rules to disallow them. You may want to create
specific disallowed hash rules for regedit, regedt32, command.com, cmd.exe, mmc.exe,
secedit.exe, and such. In the enforcement setting you can exempt local administrators
from the SRP. The link below explains in much more detail.

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx

You can also use Group Policy [ gpedit.msc] to lock down a computer, however on a
local computer the policy will apply to all users, even administrators. You might be
able to remove task bar and a whole lot more. Go to user configuration/administrative
templates/start menu and taskbar or Windows Components/Windows Explorer to see a lot
of the options to lock down a user. Be sure to read the full explanation before
implementing a setting. As far as the desktop, you could logon as the user and remove
everything from the desktop except what you want. Then logoff and log back on as an
administrator and change the ntfs permissions in the user profile folder for the
desktop folder to be read/list/execute and make sure the user is not owner of that
folder. You may also have to remove items from the "all users" profile desktop folder
to keep them from appearing on your locked down users desktop. --- Steve
 
Thanks for all the info Steve!!

I'll be trying your recommendations tomorrow and will post my results.

- T
 
Steven, thanks again for taking the time to write so much.

I've investigated the ideas you gave me and it looks like this is going to
be pretty tough to achieve without a suffering through a couple days of
headaches. The group and local policy options do allow the settings I need,
however it's a serious oversight that these policies can't be applied to
individual users on a system not in a domain.

I found this:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;293655

But its pretty inflexible.

I'll keep investigating for a while....

- T
 
Yeah. That is a limitation of Group Policy on non domain computers. The Software
Restriction Policies can exempt local administrators with the enforcement rule. There
is another hack to filter local Group Policy in the link below that may be worth a
look and is a lot easier to implement. Good luck. --- Steve

http://www.jsiinc.com/sube/tip2400/rh2492.htm
 
Back
Top