different user groups with different security settings and windows environment

[dh]

My machine is a standalone machine without any AD setting.
I am planning to set different user groups with different security settings
and windows environment.
From gpedit.msc, there are only Windows Setting->Local
Policies->UserRightAssignments and Windows Setting->Local Policies->Security
Options working with User Groups. The other policies affecting all users.
I need the very tight security user group for working only with one or two
banking web sites, no other application runs, no application can be install,
and no communication to other sites. Limited ports. The cleaning process
should run during login and logout. The point is to avoid the backdoor and
keylogger.
Another user group for general usage, like accessing chatroom site, ICQ,
YIM, game.

How can I do this?
Any suggestion on setting user groups to acheive security?
Thanx a lot

 

[Roger Abell]

What OS ? This is more approachable with XP Pro than it is with
Windows 2000, mostly due to the addition of Software Restriction
Policy in XP and later.
However, local policy (i.e. stand-alone) is always applied equally
to all accounts. User and group selectivity is a domain feature.
There is a workaround, a very tedious workaround, for which one
must plan carefully what policies are to be in effect for which accounts.
In general I do not recommend it.
Also, most things effected by local policy can be done with registry
settings - and there are third-party tools to assist. You might want to
look at Doug's little app for this (www.dougknox.com).
Finally, from what you have said it almost sound like what you could
do is to change the default shell from Explorer for the couple accounts
that are to be restricted to only accessing the bank web sites.

 

[dh]

The OS is WinXP Pro.
So, will you suggest I promote my standalone PC to a standalone Domain
Controller in order to configure the specific group security requirement?
What is the default shell for IE? How can I access and change it?

By the way, if I get internet access by wireless router, which has several
PC connect to it, which parameters should I set to ensure the other PC
connect to the same router cannot invade my privacy?
Can I use both cable access and wireless access at the same time to
accerlerate the data rate?
Thanx

 

[Guest]

Using both cable and wireless access at the same time won't accelerate the
data rate. To ensure your "privacy", there are many fatcors to consider, and
I would think that one who really wants to invade your "privacy" will be able
to succeed. Try to see if you can isolate a LAN port on your router.
Otherwise, make sure the local security policy and user rights block all
access through the network to your computer. Put a password on your admin
account (a complex one) and disable the guest account. These are basics....

Finally I think promoting your PC to DC is like putting a V8 in a golf cart
;-)

You might want to take a look at the Internet Explorer Admin Kit...(IEAK)

 

[dh]

How come the data rate wont accerlerate if I have two internet access
account from the same ISP?
The bandwidth should be doubled.
The problem is how to configure these two PCI network card correctly.
Thanx

 

[Shenan Stanley]

How come the data rate wont accerlerate if I have two internet access
account from the same ISP?
The bandwidth should be doubled.
The problem is how to configure these two PCI network card correctly.

Think of it this way..
Yes - you have two "pipes" coming into your machine, each of these "pipes"
even comes from the same "supplier".. BUT..

You have one computer and (by design) that one computer can request stuff
from either "Pipe1" or "Pipe2", but not both at the same time.

While there are dial-up modems/applications out there for them that allows
you to "bind" the two modems together, to my knowledge there is nothing like
that for Network Cards... Yet.

I can see the reasoning.. For a quick example, I can get 5Mbit down,
768Kbit up for $49.99/month. If I wanted 10Mbit down and 1.5Mbit up, the
price would do more than double - that is for sure. So being able to link
my two connections together - even with a one-time hardware purchase or
software purchase would be FANTASTIC. And if there is such a thing out
there - publicize it here - but I do not know about it.

 

[Roger Abell]

Well, you would need to purchase Server in order to have a domain.

I am not sure if there is or is not something out there to aggregate
bandwidth between a cable and a wireless interface. In modem days
there was ability to do so and in higher end network cards this is
possible - but those are not the interfaces you have.

From the range of your questions I feel that you may be getting in
too deeply if you were to try altering the default shell for those
accounts. Explorer is the normal default shell, not IE.

The best way to protect your machine is to use a firewall,
to keep it up-to-date on patches, and to keep those at the
keyboard using a limited user account with sanity in their
actions.