Single server, no domain controller, no GPO - best practices

[jjw1234]

Hi all,

I've got a 3 distributed user small office that I need to set up. The
users are all over the country.. east coast, west coast and midwest.
There will likely be 2 additional users from the UK.

The users need to run MS Office and Quickbooks. I have a single server
to work with and at this point I've determined that the best way to do
this is to simply set it up as a standalone server with no domain using
local accounts.

My question is, what's the best way to deal with managing the
environment? Should I simply use the gpedit.msc snap-in in lieu of
Group Policies? Any changes made in gpedit.msc ends up hitting everyone
(administrator included), but I don't see another way.

I'm thinking of using mandator profiles. Is this a good idea?

Any suggestions/ideas?

How should I lock this system down?

Can I prevent users from browsing the internet, yet allow
administrators to?

Security is important to me personally, but not as much to my
client(the business for which this setup is being configured), but
that's just because he's not aware of how important it is.

Thanks in advance for your insightful comments!

Jon Wahl

 

[Vera Noest [MVP]]

Yes, a local policy with gpedit is the best you can do.
Note that there *is* a method to differentiate between
Administrators and normal users, but it's cumbersome, to use an
understatement

293655 - How to apply local policies to all users except
administrators in a workgroup setting in Windows 2000
http://support.microsoft.com/kb/293655/

You should also use NTFS permissions on the file system. Here you
can easily differentiate between yourself and the users. The effect
is not as nicely-looking (users get an "access denied" error, in
stead of not even seeing a certain feature), but it will work.

You can prevent Internet browsing by defining a mandatory profile
for the users with a preconfigured dummy proxy setting, pointing to
"localhost", or some other phony IP address. Again: they'll get an
error message, but they won't be able to browse the net.

You might want to do some user education also, explaining this
behaviour, otherwise you will receive a lot of support calls about
the access denied errors.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

(e-mail address removed) wrote on 19 jul 2005 in
microsoft.public.win2000.termserv.apps: