MartinM

If I wanted to set up a couple of PCs for people off the street to rent by the hour to browse the Internet via an ADSL link, what would I need to lock down?

I just want them to be able to use a browser (IE or Firefox) and not:
- change any browser settings
- access the hard drive/USB ports
- generally fiddle about doing what I wouldn't want them to do - change the desktop, use Notepad, browse the rest of the network etc etc

Anyone done this???

mike1210

you would need xp pro to tie them down properly

password the bios

password the local admin account

give user "user" rights over the machine

the main tool for this is gpedit.msc which can be accessed via the run command

there are a whole manner of restrictions which can be performed here, however the only problem with this, is unless you are on a domain it will apply to all the users unless you change the permissions on the folder in

C:\WINDOWS\system32\GroupPolicy

need to unhide files in folder options to see this

what i did the last time i did this (wireless for a student union) was remove all the permissions for the folder, then give the default user full control over the folder, edit the group policy as that user and after that, remove full control on the default user that logs in to the machine. make sure that the administrator does not have permissions to access the folder or the restrictions will apply to the admin as well. It may work by doing the policy as admin and afterwards change the ntfs permissions on the folder to deny read and allow write for the local admin account

i have done this two separate ways on 2 occasions and both worked but were a little cowboyish, they did work though. Another option could be create another security group (deny admins) which denys admins access to that folder and add that security group into the local admin account, allowing the local admin account to log in unrestricted. The groups can be found by right clicking on my computer and select manage then select local users and groups

If you have a good memory you could just make a few changes to the policy which apply to all accounts and when you get them back, take the policies back off again. Be careful not to over do it and lock out the machine to render it unuseable. The admin account would then be able to remove the policies.

suggested changes could be:

deny access to control panel
hide hard drives (you can specify which)
internet settings (prevent homepage and security changes etc)
network settings prevent chnages

giving basic user access does restrict a lot things by default so you may be happy with that and a few restrictions in the group policy

sorry my reply is a bit jumbled but hopefully you get the idea

stevencotton

Do all that, but also do a nightly reinstall from a ghosted, known fresh image or somesuch, it's the only way with publicly accessible computers.

SJ_Skyline

IE Kiosk Mode is what you want

MartinM

Almost - and I certainly didn't know about this....

But:
- you seem to need a start page that would be the launch point for all browsing (doing a Start|Run with "iexplore -k about:blank" gives an interesting, but unusable web browsing experience )
- Ctrl-N gives another IE window that's not in kiosk mode
- alt-F4 closes the (kiosk) IE and gives you the desktop

Maybe it's part of the solution..

Good ideas above chaps - keep 'em coming!

MartinM

Steve ... what be the mechanics to actually do this?

mike1210

i may be losing my marbles here, but is there a package around netrunna which restores the pc to the original state when restarted, im sure someone on here has mentioned this?????? if not just ignore my stupid post

ChrisB

The simple answer is to stop fannying around with Group Policy, Ghosting and other half-hearted solutions

Buy a Wyse WinTerm that has Internet Explorer built in to the unit on ROM.

The WinTerm 3150SE runs Windows CE and is circa £300. Hook up a normal TFT monitor and off you go. You don't need to have a Windows Terminal Server or Citrix server to use these just for web surfing.

The more expensive WinTerm 9150SE runnings Windows XP Embedded.

As everything is on ROM, people can't bugger about with them. Password the single set-up screen and that's it.

aceman_uk

MartinM


What you want is to implement ActiveDirectory and create new Global Policies and apply them to the OU (Organisational Units - or objects in layman terms). This will allow you to Restrict almost all of windows functionality except those that you require.

Its probably the most long-winded option here BUT im sure its the most resilient.

Apply policy and the user account level or at machine level:

User level - Policy applied to the UserAccount. So wherever account logged in, policy follows

Machine Level - Policy applied to the PC. Whoever logs on to the machine has policy applied. Can go further but dont wanna bore anyone. Plenty of info on the net.

Hope that helps.

Aceman

stevencotton

PartImage and root NFS. Needs some knowledge, but works really well.

David_Wallis

aceman.. your talking crap!

Why implement active directory to simply apply a local policy to the machine?

Running the MMC and adding the group policy snap in will let you do this on the local machine.

boomer

See net-runna for details, but it is probably overkill for just a couple of PCs.

mb

darlodge

LOL at Aceman's suggestion

Darren

suba

how about running linux? you can run it on a cdrom

SJ_Skyline

Martin,

I used to be IT manager for a chain of web cafes (40 cafes, 1000 PCs). Technology has come on somewhat since then, each cafe had a Ghost CD (Win98) which was used to re-image PCs. We operated a rotation system due to the time it took to re-ghost a PC so those PCs that were most screwed up were re-ghosted at the end of the day with the others being re-ghosted during the following day.

As we were re-ghost PCs on a regular basis, we didn't bother with lockdowns - only bios passwords. Any alterations to the PCs that customers made were wiped by the re-ghost.

In addition, you may want to consider control software that identifies how long people have been on your PCs - cafe management - you can thus charge rolling rates.


Hope this helps!

Rich

Foot_Tapper

sorry to hijack a bit...
SJ are internet cafe's good business these days ?
: thinking of doing something a bit different to IT support :

SJ_Skyline

I was made redundant at the start of 2002! The company I worked for is no longer in the internet cafe business so no love lost there!

The real money was made in hiring out the cafes as corporate training venues. At £1/hour there was never really any money to be made in general web access IMHO.

Now with more people with broadband, WiFi hotspots, et. al. I would say that the market is even more niche than it was 3-4 years ago.

Foot_Tapper

Had a funny feeling it would be something like that, cheers tho.

Branners

I had to lock down a PC for an antiques fair we run and I looked at

http://www.kioware.com/?source=google

but managed to find another application that seemed to be better but cant find the name at the moment.

JB