classroom/kiosk type security

[joe haydn]

hi all.

I'm looking into securing xp workstations in a classroom lab that are being
shared by the students (AD domain users). Epecially that I found out they
can install Gaim/chat applications, as well as being able to freely creating
folders under the c:\ drive.

On one machine, i'm experimenting by removing "everyone" access to the c:\
drive, also removed the local "Users" group, this is so that no students who
login can create a folder under the C:\ drive, and force them to save files
and create folders only under their own profile.

--- isn't this a good idea? or isn't what I just did more or less a standard
approach to prevent login users to pile up their own personal files under
the c:\ drive?

Or is there like a group policy template that you can apply so that the
machine can quickly be configured as a public kiosk?

Any ideas I appreciate, thankx!

joe

 

[Guest]

I would use a kiosk software and push put INI files as needed using AD/WSH.

There's a lot to modify and registry entries, the kiosk software is pretty
much point, click, and go. Modifications are fairly easy and updates can be
pushed via AD/GPOs.

Here's a good kiosk s/w I've used to secure a manufacturing facility from
day laborers:
http://www.softheap.com/newadmin.html

 

[Jason Tan]

Hi Joe,

Thanks for posting!

My understanding on the issue is: you want to prevent domain users from
installing software and creating folders in drive C. If I have
misunderstood your concerns, please feel free to let me know.

By default, standard domain user will be a member of Local User on the
domain machine. You may prevent domain user from installing software and
creating folders and files. I would like to provide you the following
method for your reference:

Right-click C: -> click Properties item-> click Security tab -> click Users
->click Advanced button-> click Permissions -> remove

Name Permission
Users Create files/Write data
Users Create folders/Append data

Note: Do not remove local "Users" group.

Please note that the partner managed newsgroups provide assistance to
resolve break/fix issues. We also recommend Microsoft Advisory Services, a
remotely-delivered, consultative support option that adds the element of
proactive support, providing a comprehensive result beyond your break-fix
product maintenance needs. More information on this service here:
http://support.microsoft.com/gp/advisoryservice

Thanks & Regards,

Jason Tan
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.