GPO Equivalent on local machine????

[Kevin]

I have a few sites not on Active Directory. At thos sites I need to deploy a
few "public" machines. I only want these machines to have access to three
websites (1 internal and two external), and nothing else. I don't want them
to be able to change anything. I would like for them see as little as
possible (other than the three websites sites)

I know there are some option in the local security policy section, but this
seems to be a stripped down version compared to settings available in AD.

Is there a way to get the full AD setting options for a local machine (I
hope this makes sense).

I would even consider third party apps if necessary.

Thanks,
Kevin

 

[Andrew Mitchell]

I have a few sites not on Active Directory. At thos sites I need to
deploy a few "public" machines. I only want these machines to have
access to three websites (1 internal and two external), and nothing
else. I don't want them to be able to change anything. I would like for
them see as little as possible (other than the three websites sites)

I know there are some option in the local security policy section, but
this seems to be a stripped down version compared to settings available
in AD.

Is there a way to get the full AD setting options for a local machine (I
hope this makes sense).

I would even consider third party apps if necessary.

No need. Use a local policy.
Browse to UserConfig/IEMaintenance/Connection/ProxySettings and enter a proxy
server that doesn't exist. In the exceptions list, put in the URLs that you
want them to have access to. That way, any site other than the ones you have
specified will cause IE to look for a proxy that doesn't exist and return an
error to the user.

Then you can just browse through UserConfig/AdminTemplates/WindowsComponents
and disable whatever settings you don't want the users playing around with.

Andy.

 

[Kevin]

Great idea manipulating the proxy setting! That will work for the website
issue.

There are a lot of settings in AD that do not appear in the local security
policy like: hiding local drives, disabling control panel, disabling display
settings...etc.

These are just a few examples. Is there any way to get these options on the
local machine?

Thanks again,
Kevin

 

[Kevin]

I just realized... I think you might have missunderstood my post. These
machines are not on a network with AD. So there is no "user config" to
browse through. That's why I asked about local policies.

I went into the local Internet Setting and did the fake proxy trick, but the
exceptions only worked for our local Intranet. The two external sites were
also blocked, which doesn't work for me.

Any other suggestions would be appreciated.

Kevin

 

[Steven L Umbach]

You have to use gpedit.msc to bring up Group Policy on the local machine and by
default the settings will apply to all users that logon to that computer even the
local administrators. In addition to Andrew's tip you can try ipsec filtering on port
80/443 to allow access to only access to the sites you desire based on IP address or
use personal firewalls on those computers to do the same or you may even be able to
do it at the perimiter firewall. See the link below for an example on ipsec
filtering. --- Steve

http://www.securityfocus.com/infocus/1559

 

[Andrew Mitchell]

I just realized... I think you might have missunderstood my post. These
machines are not on a network with AD. So there is no "user config" to
browse through. That's why I asked about local policies.

If you run gpedit.msc it will give you a group policy editor that will apply
local policies including blocking control panel, display properties etc.

I would strongly suggest you read
http://support.microsoft.com/default.aspx?scid=kb;EN-US;293655 before doing
this, because by default local policies apply to all users including
administrators and you risk locking yourself out of your own computer.

I went into the local Internet Setting and did the fake proxy trick, but
the exceptions only worked for our local Intranet. The two external
sites were also blocked, which doesn't work for me.

You need to do it through gpedit and place the sites you want access to in
the Bypass Proxy list.

Andy.

 

[Kevin]

Thanks and I will read the article.

Kevin

If you run gpedit.msc it will give you a group policy editor that will apply
local policies including blocking control panel, display properties etc.

I would strongly suggest you read
http://support.microsoft.com/default.aspx?scid=kb;EN-US;293655 before doing
this, because by default local policies apply to all users including
administrators and you risk locking yourself out of your own computer.


You need to do it through gpedit and place the sites you want access to in
the Bypass Proxy list.

Andy.

 

[Kevin]

This is what I was looking for.

Thanks,
Kevin

You have to use gpedit.msc to bring up Group Policy on the local machine and by
default the settings will apply to all users that logon to that computer even the
local administrators. In addition to Andrew's tip you can try ipsec filtering on port
80/443 to allow access to only access to the sites you desire based on IP address or
use personal firewalls on those computers to do the same or you may even be able to
do it at the perimiter firewall. See the link below for an example on ipsec
filtering. --- Steve

http://www.securityfocus.com/infocus/1559

 

[Guest]

Kevin

The method in the MS kb article is pretty convoluted, though it does work. I found a better method, read the following linked page

http://is-it-true.org/nt/nt2000/atips/atips131.shtm

Hope this helps!