Ok, here's the deal.

I am about to deploy a PC to a public area. The ONLY thing I want people to
be able to do is open IE, and of course lock it to say 3 of our websites.
In Win98 or even NT this would not be very hard at all. I would simply open
PolEdit, make an account for either the group or username, and then apply
the restrictions. This way, when the user logs in, they lose all access to
everything in the computer (control panel, etc), yet I can get in under the
admin account that doesn't have this policy applied and make changes.

So far I have been beating my head in trying to get a solution to this
problem. It seems XP Pro wants to use the group policy. That's wonderful
as it has all the settings I want to change, but only one catch. These all
seem to be machine settings. IE, I remove the shutdown button from the
start menu, my admin account also has it gone. As you can see, this is a
huge issue as I don't want to lock myself out of doing things to the
computer.

Due to the insecure nature of this system, we do NOT want it on our domain
(or even on our network for that matter). So, does anyone have a solution?
PolEdit from the OfficeXP resource kit would work, but it won't let me add
the system settings that I want...

Any help will be GREATLY appreciated.

Thanks for any assistance you guys can give...

Daniel,

The Deny method if my favorite when it is a specific
account or group like Administrators that need exemption.
The method MS seems to favor, see the link Doug has
posted, is generalizable, allowing different settings for
different accounts, whether or not admins, but it has the
flaw that you basically start over when you need to make
a change to the desired policies.
Poledit, in a non-domain setting does work. You will
need to import/modify to get the settings you want.
You should, for your planned usage, look into using
Software Restriction Policies. These will greatly help
in defining a kiosk environment - as it is easy to overlook
some of the way people can escape the planned applications
and get to a cmd prompt.

--
Roger Abell
Microsoft MVP (Windows, Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Daniel Kerr" > wrote in message
...
> Ok, here's the deal.
>
> I am about to deploy a PC to a public area. The ONLY thing I want people
to
> be able to do is open IE, and of course lock it to say 3 of our websites.
> In Win98 or even NT this would not be very hard at all. I would simply
open
> PolEdit, make an account for either the group or username, and then apply
> the restrictions. This way, when the user logs in, they lose all access
to
> everything in the computer (control panel, etc), yet I can get in under
the
> admin account that doesn't have this policy applied and make changes.
>
> So far I have been beating my head in trying to get a solution to this
> problem. It seems XP Pro wants to use the group policy. That's wonderful
> as it has all the settings I want to change, but only one catch. These all
> seem to be machine settings. IE, I remove the shutdown button from the
> start menu, my admin account also has it gone. As you can see, this is a
> huge issue as I don't want to lock myself out of doing things to the
> computer.
>
> Due to the insecure nature of this system, we do NOT want it on our domain
> (or even on our network for that matter). So, does anyone have a
solution?
> PolEdit from the OfficeXP resource kit would work, but it won't let me add
> the system settings that I want...
>
> Any help will be GREATLY appreciated.
>
> Thanks for any assistance you guys can give...
>
>

Ok, here's a kicker. maybe i'm being a bone head about this, but just how
the heck do you change the NTFS permissions under xp? I do the normal right
click and select properties and I get nothing about allowing/denying access
to any folder. I'm sure I'm just missing something and with these sinus
meds am not thinking right...

Any clue?
"Roger Abell" > wrote in message
...
> Daniel,
>
> The Deny method if my favorite when it is a specific
> account or group like Administrators that need exemption.
> The method MS seems to favor, see the link Doug has
> posted, is generalizable, allowing different settings for
> different accounts, whether or not admins, but it has the
> flaw that you basically start over when you need to make
> a change to the desired policies.
> Poledit, in a non-domain setting does work. You will
> need to import/modify to get the settings you want.
> You should, for your planned usage, look into using
> Software Restriction Policies. These will greatly help
> in defining a kiosk environment - as it is easy to overlook
> some of the way people can escape the planned applications
> and get to a cmd prompt.
>
> --
> Roger Abell
> Microsoft MVP (Windows, Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Daniel Kerr" > wrote in message
> ...
> > Ok, here's the deal.
> >
> > I am about to deploy a PC to a public area. The ONLY thing I want
people
> to
> > be able to do is open IE, and of course lock it to say 3 of our
websites.
> > In Win98 or even NT this would not be very hard at all. I would simply
> open
> > PolEdit, make an account for either the group or username, and then
apply
> > the restrictions. This way, when the user logs in, they lose all access
> to
> > everything in the computer (control panel, etc), yet I can get in under
> the
> > admin account that doesn't have this policy applied and make changes.
> >
> > So far I have been beating my head in trying to get a solution to this
> > problem. It seems XP Pro wants to use the group policy. That's
wonderful
> > as it has all the settings I want to change, but only one catch. These
all
> > seem to be machine settings. IE, I remove the shutdown button from the
> > start menu, my admin account also has it gone. As you can see, this is
a
> > huge issue as I don't want to lock myself out of doing things to the
> > computer.
> >
> > Due to the insecure nature of this system, we do NOT want it on our
domain
> > (or even on our network for that matter). So, does anyone have a
> solution?
> > PolEdit from the OfficeXP resource kit would work, but it won't let me
add
> > the system settings that I want...
> >
> > Any help will be GREATLY appreciated.
> >
> > Thanks for any assistance you guys can give...
> >
> >
>
>

DOH.. Nevermind... Quick search told me how to do this.

If anyone else needs to know, simply open explorer, select tools, folder
options. Click on the "view" tab, then scroll all the way down to the
bottom and turn off simple file sharing.
"Daniel Kerr" > wrote in message
...
> Ok, here's a kicker. maybe i'm being a bone head about this, but just how
> the heck do you change the NTFS permissions under xp? I do the normal
right
> click and select properties and I get nothing about allowing/denying
access
> to any folder. I'm sure I'm just missing something and with these sinus
> meds am not thinking right...
>
> Any clue?
> "Roger Abell" > wrote in message
> ...
> > Daniel,
> >
> > The Deny method if my favorite when it is a specific
> > account or group like Administrators that need exemption.
> > The method MS seems to favor, see the link Doug has
> > posted, is generalizable, allowing different settings for
> > different accounts, whether or not admins, but it has the
> > flaw that you basically start over when you need to make
> > a change to the desired policies.
> > Poledit, in a non-domain setting does work. You will
> > need to import/modify to get the settings you want.
> > You should, for your planned usage, look into using
> > Software Restriction Policies. These will greatly help
> > in defining a kiosk environment - as it is easy to overlook
> > some of the way people can escape the planned applications
> > and get to a cmd prompt.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows, Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Daniel Kerr" > wrote in message
> > ...
> > > Ok, here's the deal.
> > >
> > > I am about to deploy a PC to a public area. The ONLY thing I want
> people
> > to
> > > be able to do is open IE, and of course lock it to say 3 of our
> websites.
> > > In Win98 or even NT this would not be very hard at all. I would
simply
> > open
> > > PolEdit, make an account for either the group or username, and then
> apply
> > > the restrictions. This way, when the user logs in, they lose all
access
> > to
> > > everything in the computer (control panel, etc), yet I can get in
under
> > the
> > > admin account that doesn't have this policy applied and make changes.
> > >
> > > So far I have been beating my head in trying to get a solution to this
> > > problem. It seems XP Pro wants to use the group policy. That's
> wonderful
> > > as it has all the settings I want to change, but only one catch. These
> all
> > > seem to be machine settings. IE, I remove the shutdown button from
the
> > > start menu, my admin account also has it gone. As you can see, this
is
> a
> > > huge issue as I don't want to lock myself out of doing things to the
> > > computer.
> > >
> > > Due to the insecure nature of this system, we do NOT want it on our
> domain
> > > (or even on our network for that matter). So, does anyone have a
> > solution?
> > > PolEdit from the OfficeXP resource kit would work, but it won't let me
> add
> > > the system settings that I want...
> > >
> > > Any help will be GREATLY appreciated.
> > >
> > > Thanks for any assistance you guys can give...
> > >
> > >
> >
> >
>
>

Or, if you do want to leave simple sharing enabled you
can use an F8 safe mode boot or the cacls commandline
utility.

--
Roger Abell
Microsoft MVP (Windows, Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Daniel Kerr" > wrote in message
...
> DOH.. Nevermind... Quick search told me how to do this.
>
> If anyone else needs to know, simply open explorer, select tools, folder
> options. Click on the "view" tab, then scroll all the way down to the
> bottom and turn off simple file sharing.
> "Daniel Kerr" > wrote in message
> ...
> > Ok, here's a kicker. maybe i'm being a bone head about this, but just
how
> > the heck do you change the NTFS permissions under xp? I do the normal
> right
> > click and select properties and I get nothing about allowing/denying
> access
> > to any folder. I'm sure I'm just missing something and with these sinus
> > meds am not thinking right...
> >
> > Any clue?
> > "Roger Abell" > wrote in message
> > ...
> > > Daniel,
> > >
> > > The Deny method if my favorite when it is a specific
> > > account or group like Administrators that need exemption.
> > > The method MS seems to favor, see the link Doug has
> > > posted, is generalizable, allowing different settings for
> > > different accounts, whether or not admins, but it has the
> > > flaw that you basically start over when you need to make
> > > a change to the desired policies.
> > > Poledit, in a non-domain setting does work. You will
> > > need to import/modify to get the settings you want.
> > > You should, for your planned usage, look into using
> > > Software Restriction Policies. These will greatly help
> > > in defining a kiosk environment - as it is easy to overlook
> > > some of the way people can escape the planned applications
> > > and get to a cmd prompt.
> > >
> > > --
> > > Roger Abell
> > > Microsoft MVP (Windows, Security)
> > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > "Daniel Kerr" > wrote in message
> > > ...
> > > > Ok, here's the deal.
> > > >
> > > > I am about to deploy a PC to a public area. The ONLY thing I want
> > people
> > > to
> > > > be able to do is open IE, and of course lock it to say 3 of our
> > websites.
> > > > In Win98 or even NT this would not be very hard at all. I would
> simply
> > > open
> > > > PolEdit, make an account for either the group or username, and then
> > apply
> > > > the restrictions. This way, when the user logs in, they lose all
> access
> > > to
> > > > everything in the computer (control panel, etc), yet I can get in
> under
> > > the
> > > > admin account that doesn't have this policy applied and make
changes.
> > > >
> > > > So far I have been beating my head in trying to get a solution to
this
> > > > problem. It seems XP Pro wants to use the group policy. That's
> > wonderful
> > > > as it has all the settings I want to change, but only one catch.
These
> > all
> > > > seem to be machine settings. IE, I remove the shutdown button from
> the
> > > > start menu, my admin account also has it gone. As you can see, this
> is
> > a
> > > > huge issue as I don't want to lock myself out of doing things to the
> > > > computer.
> > > >
> > > > Due to the insecure nature of this system, we do NOT want it on our
> > domain
> > > > (or even on our network for that matter). So, does anyone have a
> > > solution?
> > > > PolEdit from the OfficeXP resource kit would work, but it won't let
me
> > add
> > > > the system settings that I want...
> > > >
> > > > Any help will be GREATLY appreciated.
> > > >
> > > > Thanks for any assistance you guys can give...
> > > >
> > > >
> > >
> > >
> >
> >
>
>