Controlling access to drive C and IE settings

[Harrison Midkiff]

Hello:

I have deployed 2 terminal servers for my users to use. I am in the process
of securing the servers via a GPO. I have manage to get everything to apply
correctly except for 2 things:

1. I want to give users limited access to the C drive. They should be able
to see there own local profile folder, but I don't want them to see the
"Windows" folder or be able to create folders or files on the root of the C
drive or even save files to the root. I tried restricting access to C but
not only did it not allow them to see it. It also seemed to block "Windows
Explorer" from running.

2. We use a local Intranet for corporate data. To access is I have to add
"Local Intranet" security settings. I have added them on the GPO but they
don't seem to apply to IE when the user logs in. The terminal server is
Windows 2003 and my AD is 2000. I wouldn't think that would be a problem.
I also want to restrict my IE to certain web sites. I can do this from my
firewall, but I was just curious if I could do it in the GPO?

Any advice anyone has would be greatly appreciated...

Harrison Midkiff

 

[Jack Wang [MSFT]]

Hi Harrison,

Thank you for posting!

I suggest you refer to the following article to use the policy below to
restrict local drives.

- [User Configuration\Administrative Templates\Windows Components\Windows
Explorer]

- "Hide these specified drives in My Computer" (Enable this setting for A
through D.)

- "Prevent access to drives from My Computer" (Enable this setting for A
through D.)

Locking Down Windows Server 2003 Terminal Server Sessions
http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdown.mspx

Also, you may use the NTFS permission settings of the folders and files to
lock down the users. You may modify the NTFS permissions so that the user
only can use his profile folder.

The Windows Explorer is loaded by the c:\WINDOWS\explorer.exe file. If the
user has the permission to read the file, he will have the permission to
load Windows Explorer.

To edit the Internet security settings, you may use the following policy of
Windows Server 2003.

1. Click Start and select Run on the Windoiws Server 2003 computer directly.

2. Type gpedit.msc in the Open box and click OK.

3. Select the following folder.

User Configuration->Windows Settings->Internet Explorer
Maintenance->Security.

4. Use the policy the do it.

If you set the policy in a OU of the terminal server, please also enable
the following policy.

- [Computer Configuration\Administrative Templates\System\Group Policy]

- "User Group Policy loopback processing mode"

If you have further concern, feel free to let me know. Hope this helps!

Sincerely,
Jack Wang, MCSE 2000/2003, MCSA 2000/2003, MCDBA, MCSD
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Harrison Midkiff" <[email protected]>
| Subject: Controlling access to drive C and IE settings
| Date: Tue, 19 Oct 2004 19:28:06 -0400
| Lines: 25
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.win2000.group_policy
| NNTP-Posting-Host: 67-124.8-67.tampabay.rr.com 67.8.124.67
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
.phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.win2000.group_policy:31447
| X-Tomcat-NG: microsoft.public.win2000.group_policy
|
| Hello:
|
| I have deployed 2 terminal servers for my users to use. I am in the
process
| of securing the servers via a GPO. I have manage to get everything to
apply
| correctly except for 2 things:
|
| 1. I want to give users limited access to the C drive. They should be
able
| to see there own local profile folder, but I don't want them to see the
| "Windows" folder or be able to create folders or files on the root of the
C
| drive or even save files to the root. I tried restricting access to C
but
| not only did it not allow them to see it. It also seemed to block
"Windows
| Explorer" from running.
|
| 2. We use a local Intranet for corporate data. To access is I have to
add
| "Local Intranet" security settings. I have added them on the GPO but
they
| don't seem to apply to IE when the user logs in. The terminal server is
| Windows 2003 and my AD is 2000. I wouldn't think that would be a
problem.
| I also want to restrict my IE to certain web sites. I can do this from
my
| firewall, but I was just curious if I could do it in the GPO?
|
| Any advice anyone has would be greatly appreciated...
|
| Harrison Midkiff
|
|
|