So guys I am trying to make a locked down version of Windows XP. I want it to be so tight that unless you can figure out how to login as an admin, you can only open Internet Explorer or Firefox. No installation privelages, no storage... a dumby computer that only does one thing. Anyone have any ideas?
And for those of you who know me, thanks for all the knowledge you've helped me gain. I'm now working as the IT network tech for Princess Cruises at one of their Alaska lodges. It's a small starter job, only about 60-70 computers and some servers and a million little wireless access points to support, but hey all of the x64bit training has finally paid off.
0
Locked down version of XP
Started by
error51
, May 30 2007 08:14 AM
2 replies to this topic
#1
Posted 30 May 2007 - 08:14 AM
#2 Guest_scaramonga_*
Posted 30 May 2007 - 01:38 PM
1. Create two local users, an administrator (there by default, but you'll have to set the password and log in at least once) and the user you're going to have the IE desktop run under. I'll call that user "public" for the sake of brevity. Make public a Restricted User.
2. Read up on Local Group Policies:
Group Policy 1
Group Policy 2
Local Group Policy Objects allow you to lock down nearly every aspect of a Windows XP box. This includes the ability to remove access to the Task Manager, logging off, and various other ways of exiting the currently running application. All the settings are extensively documented within the Group Policy editor itself. There's an extensive section just on IE, which should help you.
3. Specific things you can set in the Policy Editor : Autologon as the public user (may require some additional registry tweaks and you can find that here:
Auto Logon
This will automatically log in public when the machine boots, and if anyone manages to log out somehow, the system will log them right back in again.
: Set iexplore.exe as the shell for public. Most of the ways to get out of an application are controlled by the Windows _shell_, explorer.exe, not the kernel or the application. Set IE as the shell for public and they won't get any of the application quitting options. Make sure you find and set the "auto restart shell" Policy Object -
that way if someone kills the shell or crashes IE it restarts the same way explorer does when you kill it in the Task Manager.
See : Setting KIOSK mode
: Disallow any executables running except for the ones you want. There's a Policy Object that allows black and whitelists for processes. This will prevent people from running things from the shell.
You could also disable the Ctrl, Alt, Windows and F10 keys. This means nobody - including you - can use these keys for anything, but if this is just for a kiosk that shouldn't be a problem.
Hope this helps.
2. Read up on Local Group Policies:
Group Policy 1
Group Policy 2
Local Group Policy Objects allow you to lock down nearly every aspect of a Windows XP box. This includes the ability to remove access to the Task Manager, logging off, and various other ways of exiting the currently running application. All the settings are extensively documented within the Group Policy editor itself. There's an extensive section just on IE, which should help you.
3. Specific things you can set in the Policy Editor : Autologon as the public user (may require some additional registry tweaks and you can find that here:
Auto Logon
This will automatically log in public when the machine boots, and if anyone manages to log out somehow, the system will log them right back in again.
: Set iexplore.exe as the shell for public. Most of the ways to get out of an application are controlled by the Windows _shell_, explorer.exe, not the kernel or the application. Set IE as the shell for public and they won't get any of the application quitting options. Make sure you find and set the "auto restart shell" Policy Object -
that way if someone kills the shell or crashes IE it restarts the same way explorer does when you kill it in the Task Manager.
See : Setting KIOSK mode
: Disallow any executables running except for the ones you want. There's a Policy Object that allows black and whitelists for processes. This will prevent people from running things from the shell.
You could also disable the Ctrl, Alt, Windows and F10 keys. This means nobody - including you - can use these keys for anything, but if this is just for a kiosk that shouldn't be a problem.
Hope this helps.
Edited by scaramonga, 30 May 2007 - 01:40 PM.
#3
Posted 30 May 2007 - 06:39 PM
Why not just put something like deep freeze on it?
5 user(s) are reading this topic
0 members, 5 guests, 0 anonymous users