Hello,
I have browsed many threats regarding this issue. In most cases, the questions being asked are about (client-server) networked workstations. This is NOT my case. Here is my situation.
I run a public library which offers 4 Windows XP (SP3) Pro workstations which are connected to a Hub but do not validate to any server, they are independent from each other.
Since these -public- PCs are for research only, there is no need for a regular user to access Control Panel, C:/ , add or remove software , change desktop wallpaper, change clock, interface ...yada yada yada. So I created a USER account with a common password and a Admin account (not named Admin) with a hard-to-guess password.
Now here is what I want. I want the ADMIN account to have FULL rights over the machine and the USER account (called Reader), have VERY restricted access. Example: Only access IE, and some Office apps. NO access to local drives, no downloads and flush the accounts files, cache, shortcuts ... on Log-off.
I have seen this on some machines on cyber cafes and other libraries. Most of Cyber Cafes have Shareware software that "mounts" a non-closable interface with shortcuts. These kind of shareware are out of my budged. Installing a Domain Server is also out of the question.
I tried using "gpedit.msc" but this would affect the whole system, even the administrators account. Is there a way I can have these restrictions (and many others) without affecting a specific (Admin) account?. I only need two accounts per computer. USER account and ADMIN account. User limited - Admin full rights.
Any suggestions? any ideas I can use for keeping my library PCs clean? No porn or 20 different IM applications on each PC? I am tired of formatting 4 workstation each week. (please deepfreeze, that will keep the PCs clean after rebooting, but it will not keep the users from trying to hack the system or installing whatever they want for one session).
Best regards,
mkieczka