Setting up new users

  • Thread starter Thread starter Anguel Iordanov
  • Start date Start date
A

Anguel Iordanov

Hi everyone,



I am faced with the following challenge and would really appreciate if you
could help or point me in the right direction.



We have two computer running Win 2000 Pro.

We would like to give a public access to this computer so anyone coming in
can use them.



My challenge is to:

1 Create an account on each computer with the following restrictions:

- Users cannot change any settings on the computer.

- Users cannot right click.

- Users cannot download files from the Internet

- Users cannot create files or folders

- Users can only access sites approved by us

2 Does any of you know of a cheap software, which will allow us:

- How long people have been on the Internet

- Have the printed anything



Thanks a lot in advance.



Anguel
 
Your best bet would to be to use Windows XP Pro which can use Software
Restriction Policies for such computers. However for Windows 2000 what you
could do is to let the users logon as the guest account. You can give the
guest account a password if you want and configure the account so that the
password can not be changed. Enabling the guest account however will allow
any user network access to the computer that has the everyone group
configured in permissions for a share folder so keep that in mind. If you
want to use a regular user account you would want to modify permissions to
that users profile to be only read/list/execute. A local administrator would
need to take ownership of that folder first to do such.

The guest account will use a profile that will be deleted when the user logs
off. Make sire that the root/drive folder has no more than read/list
permissions for the everyone group. Also make sure that the guest account
has deny permissions to the \documents and settings\all users\shared
documents folder. You can use ntfs permissions to prevent the guest account
from running applications you do not want them to access such as folders in
the program files folder.

Use Group Policy to restrict the users further. Local Group Policy is
invoked with the gpedit.msc command but keep in mind that by default local
Group Policy applies to ALL users that logon to a computer - even
administrators. You will find the most useful settings under user
configuration/administrative templates in the various categories. Be sure to
read full explanation of settings before enabling. Settings for "context
menu" will disable right click at various places in the operating system. An
administrator could still access Group Policy from another computer on the
network to manage Group Policy if he locked himself out by using the mmc
snapin for Group Policy on the remote computer and browsing to the locked
down computer. The admin would want to logon to the remote computer with an
account that has admin powers on the locked down computer.

You could configure Internet Explorer so that the internet Web Content Zone
[ tools/internet options/security/custom] will not allow downloads and that
will prevent downloads through Internet Explorer. As far as printing you
could go to printers and faxes, select file/server properties and enable log
spooler information events in the advanced tab. The part about restricting
internet access and monitoring access is best done at your firewall which
may or may not have the abilities you need. Microsoft ISA 2004 can certainly
do such but is not cheap - around $1500 installed on a server operating
system. You could try using IE Content Advisor to restrict where users can
go which may or may not work well depending on the amount of sites you want
to allow access to and the type of sites as many sites are a bunch of links
to other sites. Another option may be to use an internet monitoring software
package such as Net Nanny or Cyber Patrol. Many of them have free trial
downloads. If the budget allows many lower priced firewalls offer a
subscription content service where you pay a small monthly fee and the
service will help prevent users from accessing websites which you deem
inappropriate. Such an investment most likely would prove well worth while.
The links below may help. --- Steve

http://www.netnanny.com/
http://www.cyberpatrol.com/internet_monitor.aspx
http://www.sonicwall.com/products/tz170.html
 
Hi Steve,

Thank you very much for the reply. What you are saying makes sense, however

I am not really sure how to do it. Is there a step by step guide? Or any

articles I can read?

Thanks a lot.

Anguel




Steven L Umbach said:
Your best bet would to be to use Windows XP Pro which can use Software
Restriction Policies for such computers. However for Windows 2000 what you
could do is to let the users logon as the guest account. You can give the
guest account a password if you want and configure the account so that the
password can not be changed. Enabling the guest account however will allow
any user network access to the computer that has the everyone group
configured in permissions for a share folder so keep that in mind. If you
want to use a regular user account you would want to modify permissions to
that users profile to be only read/list/execute. A local administrator would
need to take ownership of that folder first to do such.

The guest account will use a profile that will be deleted when the user logs
off. Make sire that the root/drive folder has no more than read/list
permissions for the everyone group. Also make sure that the guest account
has deny permissions to the \documents and settings\all users\shared
documents folder. You can use ntfs permissions to prevent the guest account
from running applications you do not want them to access such as folders in
the program files folder.

Use Group Policy to restrict the users further. Local Group Policy is
invoked with the gpedit.msc command but keep in mind that by default local
Group Policy applies to ALL users that logon to a computer - even
administrators. You will find the most useful settings under user
configuration/administrative templates in the various categories. Be sure to
read full explanation of settings before enabling. Settings for "context
menu" will disable right click at various places in the operating system. An
administrator could still access Group Policy from another computer on the
network to manage Group Policy if he locked himself out by using the mmc
snapin for Group Policy on the remote computer and browsing to the locked
down computer. The admin would want to logon to the remote computer with an
account that has admin powers on the locked down computer.

You could configure Internet Explorer so that the internet Web Content Zone
[ tools/internet options/security/custom] will not allow downloads and that
will prevent downloads through Internet Explorer. As far as printing you
could go to printers and faxes, select file/server properties and enable log
spooler information events in the advanced tab. The part about restricting
internet access and monitoring access is best done at your firewall which
may or may not have the abilities you need. Microsoft ISA 2004 can certainly
do such but is not cheap - around $1500 installed on a server operating
system. You could try using IE Content Advisor to restrict where users can
go which may or may not work well depending on the amount of sites you want
to allow access to and the type of sites as many sites are a bunch of links
to other sites. Another option may be to use an internet monitoring software
package such as Net Nanny or Cyber Patrol. Many of them have free trial
downloads. If the budget allows many lower priced firewalls offer a
subscription content service where you pay a small monthly fee and the
service will help prevent users from accessing websites which you deem
inappropriate. Such an investment most likely would prove well worth while.
The links below may help. --- Steve

http://www.netnanny.com/
http://www.cyberpatrol.com/internet_monitor.aspx
http://www.sonicwall.com/products/tz170.html

Anguel Iordanov said:
Hi everyone,



I am faced with the following challenge and would really appreciate if you
could help or point me in the right direction.



We have two computer running Win 2000 Pro.

We would like to give a public access to this computer so anyone coming in
can use them.



My challenge is to:

1 Create an account on each computer with the following
restrictions:

- Users cannot change any settings on the computer.

- Users cannot right click.

- Users cannot download files from the Internet

- Users cannot create files or folders

- Users can only access sites approved by us

2 Does any of you know of a cheap software, which will allow us:

- How long people have been on the Internet

- Have the printed anything



Thanks a lot in advance.



Anguel
Click to expand...
Click to expand...
 
Here are a couple of links. The first is some software that claims it can do
much of what you want and the last link is to the Windows 2003 Deployment
Kit which contains some excellent documentation of using a managed
environment. --- Steve

http://www.sharewareconnection.com/advanced-internet-kiosk.htm

http://www.microsoft.com/resources/...003/all/deployguide/en-us/dpgDME_overview.asp

Anguel Iordanov said:
Hi Steve,

Thank you very much for the reply. What you are saying makes sense,
however

I am not really sure how to do it. Is there a step by step guide? Or any

articles I can read?

Thanks a lot.

Anguel




Steven L Umbach said:
Your best bet would to be to use Windows XP Pro which can use Software
Restriction Policies for such computers. However for Windows 2000 what
you
could do is to let the users logon as the guest account. You can give the
guest account a password if you want and configure the account so that the
password can not be changed. Enabling the guest account however will
allow
any user network access to the computer that has the everyone group
configured in permissions for a share folder so keep that in mind. If you
want to use a regular user account you would want to modify permissions
to
that users profile to be only read/list/execute. A local administrator would
need to take ownership of that folder first to do such.

The guest account will use a profile that will be deleted when the user logs
off. Make sire that the root/drive folder has no more than read/list
permissions for the everyone group. Also make sure that the guest account
has deny permissions to the \documents and settings\all users\shared
documents folder. You can use ntfs permissions to prevent the guest account
from running applications you do not want them to access such as folders in
the program files folder.

Use Group Policy to restrict the users further. Local Group Policy is
invoked with the gpedit.msc command but keep in mind that by default
local
Group Policy applies to ALL users that logon to a computer - even
administrators. You will find the most useful settings under user
configuration/administrative templates in the various categories. Be sure to
read full explanation of settings before enabling. Settings for "context
menu" will disable right click at various places in the operating system. An
administrator could still access Group Policy from another computer on
the
network to manage Group Policy if he locked himself out by using the mmc
snapin for Group Policy on the remote computer and browsing to the locked
down computer. The admin would want to logon to the remote computer with an
account that has admin powers on the locked down computer.

You could configure Internet Explorer so that the internet Web Content Zone
[ tools/internet options/security/custom] will not allow downloads and that
will prevent downloads through Internet Explorer. As far as printing you
could go to printers and faxes, select file/server properties and enable log
spooler information events in the advanced tab. The part about
restricting
internet access and monitoring access is best done at your firewall which
may or may not have the abilities you need. Microsoft ISA 2004 can certainly
do such but is not cheap - around $1500 installed on a server operating
system. You could try using IE Content Advisor to restrict where users
can
go which may or may not work well depending on the amount of sites you want
to allow access to and the type of sites as many sites are a bunch of links
to other sites. Another option may be to use an internet monitoring software
package such as Net Nanny or Cyber Patrol. Many of them have free trial
downloads. If the budget allows many lower priced firewalls offer a
subscription content service where you pay a small monthly fee and the
service will help prevent users from accessing websites which you deem
inappropriate. Such an investment most likely would prove well worth while.
The links below may help. --- Steve

http://www.netnanny.com/
http://www.cyberpatrol.com/internet_monitor.aspx
http://www.sonicwall.com/products/tz170.html

Anguel Iordanov said:
Hi everyone,



I am faced with the following challenge and would really appreciate if you
could help or point me in the right direction.



We have two computer running Win 2000 Pro.

We would like to give a public access to this computer so anyone coming in
can use them.



My challenge is to:

1 Create an account on each computer with the following
restrictions:

- Users cannot change any settings on the computer.

- Users cannot right click.

- Users cannot download files from the Internet

- Users cannot create files or folders

- Users can only access sites approved by us

2 Does any of you know of a cheap software, which will allow us:

- How long people have been on the Internet

- Have the printed anything



Thanks a lot in advance.



Anguel
Click to expand...
Click to expand...
Click to expand...
 
Back
Top