I am trying to setup a machine to lockdown the default user from running anything except programs I autorun. I however need to keep a local administrator available with full access. This needs to be accomplished on a standalone workstation running XP SP2.

I know how to setup the computer to autologon and to auto launch a program, but the lockdown is being difficult. There was a program in the W2k resource kit for W2k, but I can't find anything for XP.


User:
Can't do anything except use program that is running.

Administartor:
has full access as normal

I would assume this would be done using a group policy. I have found a technote from microsoft including a sample policy for setting up a Kiosk (Basically what I want) but it talks about linking this to the active directory on a W2k3 Server. This system is standalone. Any Idea how to do this to a User or a User Group??

Start/Run/GPEDIT.MSC assuming the machine is running XP Proffessional. If its running Home or other, network it to an XP Pro comp and set Group Policy for the machine from there.

XP Pro, but the group policy effects every user on the system if it is not part of the domain. I seem to have found a way to do it from another website which involves setting permissions on the actual policy to that a Administrator is denied read access therefore preventing windows from applying it. I will try that today

XP Pro, but the group policy effects every user on the system if it is not part of the domain. I seem to have found a way to do it from another website which involves setting permissions on the actual policy to that a Administrator is denied read access therefore preventing windows from applying it. I will try that today

Dude, if that works please provide some links!

... There was a program in the W2k resource kit for W2k, but I can't find anything for XP...

Do you mean like so ? :- Security Configuration Manager Tools (http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/all_tools.mspx)(which IS in xp ;))

& another fact worth mentioning about xp over w2k permissions wise, is the fact that you can password protect your 'my documents' folder without reference to any groupings, meaning that no matter what class of user account you have, only you & not any adminnistrator can view your files*

* .. which doesn't take care of the 'hole in the plot' anymore than anything can where you've got physical access, as we all know about 'taking ownership' & other things I'm apparently not allowed to mention anymore !

found that info on www.windowsnetworking.com/kbase/windowstips/windowsXP/Admintips/miscellaneous

didn't end up using it as getting permissions right was going to be a big problem.

You could limit the applications the user account can run -

This is a per user setting:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion \Policies\Explorer]

Create a new DWORD value and name it "RestrictRun" set the value to "1" to enable application restrictions or "0" to allow all applications to run.

Next create a new sub-key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion \Policies\Explorer\RestrictRun] and define the applications that are allowed. Creating a new string value for each application, named as consecutive numbers, and setting the value to the filename to be allowed i.e. "notepad.exe"

(Default) REG_SZ (value not set)
1 REG_SZ "notepad.exe"
2 REG_SZ "regedit.exe"

You will need to restart windows

Solution:
Created a limited user account
Deny write access to C:
Allow Write Access to required directories that software Requires
Set Restrict Run in registry for required apps.
although user can copy files from C:, he is prevented from deleting, and modifing files. I just wish there was a way to completely lock it down so that he can't even get to the start menu, or launch an explorer window, etc

As for the start menu, run a different shell or restrict access all together:

Disable Menu Bars and the Start Button (http://www.winguides.com/registry/display.php?id=905)