XP Policies (like PolEdit)

[Daniel Kerr]

Ok, here's the deal.

I am about to deploy a PC to a public area. The ONLY thing I want people to
be able to do is open IE, and of course lock it to say 3 of our websites.
In Win98 or even NT this would not be very hard at all. I would simply open
PolEdit, make an account for either the group or username, and then apply
the restrictions. This way, when the user logs in, they lose all access to
everything in the computer (control panel, etc), yet I can get in under the
admin account that doesn't have this policy applied and make changes.

So far I have been beating my head in trying to get a solution to this
problem. It seems XP Pro wants to use the group policy. That's wonderful
as it has all the settings I want to change, but only one catch. These all
seem to be machine settings. IE, I remove the shutdown button from the
start menu, my admin account also has it gone. As you can see, this is a
huge issue as I don't want to lock myself out of doing things to the
computer.

Due to the insecure nature of this system, we do NOT want it on our domain
(or even on our network for that matter). So, does anyone have a solution?
PolEdit from the OfficeXP resource kit would work, but it won't let me add
the system settings that I want...

Any help will be GREATLY appreciated.

Thanks for any assistance you guys can give...

 

[David Jones]

When you're finished setting the policy, but before you
logoff/reboot, change the NTFS permissions on the
\Windows\system32\grouppolicy folder to Deny access to
Administrators (or whoever you want the policy to NOT
apply to).

When you need to change the policy, you'll need to remove
that Deny permission to change it.

Note that you should also make sure the only accessible
things are the keyboard and mouse, because with physical
access to a computer case (or floppy drive/CD drive/etc)
it is possible to do a wide variety of things that would
get around this.

Also make sure all Administrator level accounts are
password protected with strong passwords, and those
passwords change relatively frequently.

There's a host of other ways to secure the system as
well, but that's a good starting point.

 

[Deus Ex Machina]

Two methods to get this. One fast, one slow but
configurable.

Fast method:
Start menu->Run. Type in "gpedit.msc". Hit enter.
Slow method.
Start Menu->Run. Type in "mmc". Hit enter. Click
File->Add/Remove Snap-in. Click "Add". Highlight "Group
Policy" and click "Add". Select computer you want to change
the polocies for, and click finish. Click Close. Click Ok.

hope this helps =D

 

[Daniel Kerr]

DOH, didn't even think of that. I also just got some 2K templates I have
used on my 2K terminal server that I'm gonna try importing into the poledit
and see if I can get that to work... but that's a great idea... I might try
that one next.

Only "issue" I would be concerned with is if it executed immediately when I
re-add permissions... IE, I go to make a change, add the allow access to
that folder back to admins, then BAM I lose everything... The changes I was
making in the group policy were effective immediately, and not on
logon/logoff so kinda worried.. hehehe

 

[Daniel Kerr]

Actually, this doesn't do what I want...

Again, this is a standalone version of XP Pro (running in a workgroup). I
want these restrictions to apply to userX but NOT to the admin account.
Anything in gpedit instantly applies to ALL accounts on the machine. Unlike
PolEdit in the old days, there is no way to force it to apply to group/user
X and not to group/user Y...

 

[Roger Abell]

Daniel,

The Deny method if my favorite when it is a specific
account or group like Administrators that need exemption.
The method MS seems to favor, see the link Doug has
posted, is generalizable, allowing different settings for
different accounts, whether or not admins, but it has the
flaw that you basically start over when you need to make
a change to the desired policies.
Poledit, in a non-domain setting does work. You will
need to import/modify to get the settings you want.
You should, for your planned usage, look into using
Software Restriction Policies. These will greatly help
in defining a kiosk environment - as it is easy to overlook
some of the way people can escape the planned applications
and get to a cmd prompt.

 

[Daniel Kerr]

Ok, here's a kicker. maybe i'm being a bone head about this, but just how
the heck do you change the NTFS permissions under xp? I do the normal right
click and select properties and I get nothing about allowing/denying access
to any folder. I'm sure I'm just missing something and with these sinus
meds am not thinking right...

Any clue?

 

[Daniel Kerr]

DOH.. Nevermind... Quick search told me how to do this.

If anyone else needs to know, simply open explorer, select tools, folder
options. Click on the "view" tab, then scroll all the way down to the
bottom and turn off simple file sharing.

 

[Roger Abell]

Or, if you do want to leave simple sharing enabled you
can use an F8 safe mode boot or the cacls commandline
utility.