Locking down a PC for an Internet Cafe type environment
#1
Locking down a PC for an Internet Cafe type environment
If I wanted to set up a couple of PCs for people off the street to rent by the hour to browse the Internet via an ADSL link, what would I need to lock down?
I just want them to be able to use a browser (IE or Firefox) and not:
- change any browser settings
- access the hard drive/USB ports
- generally fiddle about doing what I wouldn't want them to do - change the desktop, use Notepad, browse the rest of the network etc etc
Anyone done this???
I just want them to be able to use a browser (IE or Firefox) and not:
- change any browser settings
- access the hard drive/USB ports
- generally fiddle about doing what I wouldn't want them to do - change the desktop, use Notepad, browse the rest of the network etc etc
Anyone done this???
#2
Scooby Regular
Join Date: Apr 2004
Location: Cardiff
Posts: 1,928
Likes: 0
Received 0 Likes
on
0 Posts
you would need xp pro to tie them down properly
password the bios
password the local admin account
give user "user" rights over the machine
the main tool for this is gpedit.msc which can be accessed via the run command
there are a whole manner of restrictions which can be performed here, however the only problem with this, is unless you are on a domain it will apply to all the users unless you change the permissions on the folder in
C:\WINDOWS\system32\GroupPolicy
need to unhide files in folder options to see this
what i did the last time i did this (wireless for a student union) was remove all the permissions for the folder, then give the default user full control over the folder, edit the group policy as that user and after that, remove full control on the default user that logs in to the machine. make sure that the administrator does not have permissions to access the folder or the restrictions will apply to the admin as well. It may work by doing the policy as admin and afterwards change the ntfs permissions on the folder to deny read and allow write for the local admin account
i have done this two separate ways on 2 occasions and both worked but were a little cowboyish, they did work though. Another option could be create another security group (deny admins) which denys admins access to that folder and add that security group into the local admin account, allowing the local admin account to log in unrestricted. The groups can be found by right clicking on my computer and select manage then select local users and groups
If you have a good memory you could just make a few changes to the policy which apply to all accounts and when you get them back, take the policies back off again. Be careful not to over do it and lock out the machine to render it unuseable. The admin account would then be able to remove the policies.
suggested changes could be:
deny access to control panel
hide hard drives (you can specify which)
internet settings (prevent homepage and security changes etc)
network settings prevent chnages
giving basic user access does restrict a lot things by default so you may be happy with that and a few restrictions in the group policy
sorry my reply is a bit jumbled but hopefully you get the idea
password the bios
password the local admin account
give user "user" rights over the machine
the main tool for this is gpedit.msc which can be accessed via the run command
there are a whole manner of restrictions which can be performed here, however the only problem with this, is unless you are on a domain it will apply to all the users unless you change the permissions on the folder in
C:\WINDOWS\system32\GroupPolicy
need to unhide files in folder options to see this
what i did the last time i did this (wireless for a student union) was remove all the permissions for the folder, then give the default user full control over the folder, edit the group policy as that user and after that, remove full control on the default user that logs in to the machine. make sure that the administrator does not have permissions to access the folder or the restrictions will apply to the admin as well. It may work by doing the policy as admin and afterwards change the ntfs permissions on the folder to deny read and allow write for the local admin account
i have done this two separate ways on 2 occasions and both worked but were a little cowboyish, they did work though. Another option could be create another security group (deny admins) which denys admins access to that folder and add that security group into the local admin account, allowing the local admin account to log in unrestricted. The groups can be found by right clicking on my computer and select manage then select local users and groups
If you have a good memory you could just make a few changes to the policy which apply to all accounts and when you get them back, take the policies back off again. Be careful not to over do it and lock out the machine to render it unuseable. The admin account would then be able to remove the policies.
suggested changes could be:
deny access to control panel
hide hard drives (you can specify which)
internet settings (prevent homepage and security changes etc)
network settings prevent chnages
giving basic user access does restrict a lot things by default so you may be happy with that and a few restrictions in the group policy
sorry my reply is a bit jumbled but hopefully you get the idea
Last edited by mike1210; 14 November 2005 at 01:32 PM.
#4
#5
Originally Posted by SJ_Skyline
IE Kiosk Mode is what you want
But:
- you seem to need a start page that would be the launch point for all browsing (doing a Start|Run with "iexplore -k about:blank" gives an interesting, but unusable web browsing experience )
- Ctrl-N gives another IE window that's not in kiosk mode
- alt-F4 closes the (kiosk) IE and gives you the desktop
Maybe it's part of the solution..
Good ideas above chaps - keep 'em coming!
#6
Originally Posted by stevencotton
Do all that, but also do a nightly reinstall from a ghosted, known fresh image or somesuch, it's the only way with publicly accessible computers.
#7
Scooby Regular
Join Date: Apr 2004
Location: Cardiff
Posts: 1,928
Likes: 0
Received 0 Likes
on
0 Posts
i may be losing my marbles here, but is there a package around netrunna which restores the pc to the original state when restarted, im sure someone on here has mentioned this?????? if not just ignore my stupid post
Trending Topics
#8
The simple answer is to stop fannying around with Group Policy, Ghosting and other half-hearted solutions
Buy a Wyse WinTerm that has Internet Explorer built in to the unit on ROM.
The WinTerm 3150SE runs Windows CE and is circa £300. Hook up a normal TFT monitor and off you go. You don't need to have a Windows Terminal Server or Citrix server to use these just for web surfing.
The more expensive WinTerm 9150SE runnings Windows XP Embedded.
As everything is on ROM, people can't bugger about with them. Password the single set-up screen and that's it.
Buy a Wyse WinTerm that has Internet Explorer built in to the unit on ROM.
The WinTerm 3150SE runs Windows CE and is circa £300. Hook up a normal TFT monitor and off you go. You don't need to have a Windows Terminal Server or Citrix server to use these just for web surfing.
The more expensive WinTerm 9150SE runnings Windows XP Embedded.
As everything is on ROM, people can't bugger about with them. Password the single set-up screen and that's it.
#9
MartinM
What you want is to implement ActiveDirectory and create new Global Policies and apply them to the OU (Organisational Units - or objects in layman terms). This will allow you to Restrict almost all of windows functionality except those that you require.
Its probably the most long-winded option here BUT im sure its the most resilient.
Apply policy and the user account level or at machine level:
User level - Policy applied to the UserAccount. So wherever account logged in, policy follows
Machine Level - Policy applied to the PC. Whoever logs on to the machine has policy applied. Can go further but dont wanna bore anyone. Plenty of info on the net.
Hope that helps.
Aceman
What you want is to implement ActiveDirectory and create new Global Policies and apply them to the OU (Organisational Units - or objects in layman terms). This will allow you to Restrict almost all of windows functionality except those that you require.
Its probably the most long-winded option here BUT im sure its the most resilient.
Apply policy and the user account level or at machine level:
User level - Policy applied to the UserAccount. So wherever account logged in, policy follows
Machine Level - Policy applied to the PC. Whoever logs on to the machine has policy applied. Can go further but dont wanna bore anyone. Plenty of info on the net.
Hope that helps.
Aceman
#11
Scooby Regular
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
aceman.. your talking crap!
Why implement active directory to simply apply a local policy to the machine?
Running the MMC and adding the group policy snap in will let you do this on the local machine.
Why implement active directory to simply apply a local policy to the machine?
Running the MMC and adding the group policy snap in will let you do this on the local machine.
#12
Scooby Senior
Join Date: Feb 2000
Location: West Midlands
Posts: 5,763
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by mike1210
i may be losing my marbles here, but is there a package around netrunna which restores the pc to the original state when restarted, im sure someone on here has mentioned this?????? if not just ignore my stupid post
mb
#15
Martin,
I used to be IT manager for a chain of web cafes (40 cafes, 1000 PCs). Technology has come on somewhat since then, each cafe had a Ghost CD (Win98) which was used to re-image PCs. We operated a rotation system due to the time it took to re-ghost a PC so those PCs that were most screwed up were re-ghosted at the end of the day with the others being re-ghosted during the following day.
As we were re-ghost PCs on a regular basis, we didn't bother with lockdowns - only bios passwords. Any alterations to the PCs that customers made were wiped by the re-ghost.
In addition, you may want to consider control software that identifies how long people have been on your PCs - cafe management - you can thus charge rolling rates.
Hope this helps!
Rich
I used to be IT manager for a chain of web cafes (40 cafes, 1000 PCs). Technology has come on somewhat since then, each cafe had a Ghost CD (Win98) which was used to re-image PCs. We operated a rotation system due to the time it took to re-ghost a PC so those PCs that were most screwed up were re-ghosted at the end of the day with the others being re-ghosted during the following day.
As we were re-ghost PCs on a regular basis, we didn't bother with lockdowns - only bios passwords. Any alterations to the PCs that customers made were wiped by the re-ghost.
In addition, you may want to consider control software that identifies how long people have been on your PCs - cafe management - you can thus charge rolling rates.
Hope this helps!
Rich
#17
I was made redundant at the start of 2002! The company I worked for is no longer in the internet cafe business so no love lost there!
The real money was made in hiring out the cafes as corporate training venues. At £1/hour there was never really any money to be made in general web access IMHO.
Now with more people with broadband, WiFi hotspots, et. al. I would say that the market is even more niche than it was 3-4 years ago.
The real money was made in hiring out the cafes as corporate training venues. At £1/hour there was never really any money to be made in general web access IMHO.
Now with more people with broadband, WiFi hotspots, et. al. I would say that the market is even more niche than it was 3-4 years ago.
#19
I had to lock down a PC for an antiques fair we run and I looked at
http://www.kioware.com/?source=google
but managed to find another application that seemed to be better but cant find the name at the moment.
JB
http://www.kioware.com/?source=google
but managed to find another application that seemed to be better but cant find the name at the moment.
JB
Thread
Thread Starter
Forum
Replies
Last Post
Mattybr5@MB Developments
Full Cars Breaking For Spares
28
28 December 2015 11:07 PM
Mattybr5@MB Developments
Full Cars Breaking For Spares
12
18 November 2015 07:03 AM