Solved

Group Policy - Lock a user down so all he can do is see our Intranet page

Posted on 2004-03-22
8
10,136 Views
Last Modified: 2013-12-04
Hi,

I have a couple users at my company that I need to lock down so they can only see our Intranet.  I have looking into the Kiosk mode for IE, but it would allow the user to still browse other pages other then our Intranet page.  Additionally, it would not be intuitive to the user how to logoff or shutdown since the start menu is hidden.

Thanks.
0
Comment
Question by:swabeui
8 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 10653499
why use a policy? just put in a firewall that blocks all TCP port 80 (web) traffic from that particular pc to the outside of your network
0
 

Author Comment

by:swabeui
ID: 10654161
I thought about this (in fact I have implemented similar policies already), but the computers in question are shared and other users do not have to share the same restrictions.  I would also have to make the IPs static or at least assigned in DHCP which I would rather not do if I don't have to right now.
0
 
LVL 12

Accepted Solution

by:
trywaredk earned 250 total points
ID: 10655685
I did remember, that I got something about it in my knowledgebase, but not that I got so much.
Take what you need, from registry and/or USER group policies ....

HOW TO: Restrict Users from Running Specific Windows Programs in Windows 2000
http://support.microsoft.com/?kbid=323525

Description of the Software Restriction Policies in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;310791

Remember to Enforce a Remote Access Security Policy in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q313082&sd=tech

HOW TO: Apply Local Policies to all Users Except Administrators on Windows 2000 in a Workgroup Setting
http://support.microsoft.com/default.aspx?scid=kb;EN-US;293655

Local Policies to all Users except Administrators (only workgroup)
http://support.microsoft.com/default.aspx?scid=kb;en-us;293655

Refresh policy from windows 2003 server:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/Refrgp.asp

How do I use Group Policy to implement Internet Explorer Advanced Settings?
http://www.jsiinc.com/subm/tip6400/rh6403.htm

Internet Explorer Group Policy security settings need some extra help?
http://www.jsiinc.com/subj/tip4800/rh4816.htm

One can restrict the programs that a user can run
http://is-it-true.org/nt/registry/rtips113.shtml
 
 Accepted Answer from trywaredk  Date: 06/15/2003 10:56AM CEST  
Internet Explorer Control Panel Restrictions (Part 1)
http://www.winguides.com/registry/display.php/537/

Internet Explorer Control Panel Restrictions (Part 2)
http://www.winguides.com/registry/display.php/797/

Disable Network Messenger Service (Windows NT/2000/XP)
http://www.winguides.com/registry/display.php/1228/

Disable MSN Instant Messenger
http://www.winguides.com/registry/display.php/981/

Disable Run Commands Specified in the Registry - This restriction is used to disable the ability to run startup programs specified in the registry when Windows launches.
http://www.winguides.com/registry/display.php/876/

Disable Registry Editing Tools
http://www.winguides.com/registry/display.php/190/

Disable Command Prompt and Batch Files
http://www.winguides.com/registry/display.php/1143/

Disable the Windows Key (Windows NT/2000/XP) Popular
This tweak disables the Windows key that is found between the Ctrl and Alt keys on a Windows enhanced keyboard.
http://www.winguides.com/registry/display.php/903/

Disable the Windows Hotkeys (All Windows)
This restriction allows you to disable the use of the Windows hotkey combinations that provide shortcuts to the Start Menu and task swapping.
http://www.winguides.com/registry/display.php/549/

Secure Access to Floppy Drives (Windows NT/2000/XP)
This setting determines whether data in the floppy disk drive is accessible to other users.
http://www.winguides.com/registry/display.php/204/

Disable Ability to Skip Startup Programs (Windows NT/2000/XP)
Normally if you hold the Shift key while Windows is loading you can prevent the Startup applications from being launched. This setting disables the ability to by-pass these programs.
http://www.winguides.com/registry/display.php/1056/

Disable CD Burning (Windows XP)
This restriction is used to disable the use of the inbuilt CD recording functions of Windows.
http://www.winguides.com/registry/display.php/979/

Disable File Download in Internet Explorer
http://www.winguides.com/registry/display.php/901/

Disable Internet Access
http://www.winguides.com/registry/display.php/1288/

Disable Control Panel
http://www.winguides.com/registry/display.php/543/

Windows Netmeeting Policies and Restrictions (All Windows)
These restrictions and policies can be used to disable or restrict access to certain features of Windows Netmeeting.
http://www.winguides.com/registry/display.php/636/

MSN Instant Messenger Restrictions (All Windows)
These restrictions are used to disable various features of the Microsoft MSN Instant Messenger client.
http://www.winguides.com/registry/display.php/982/

Automatic Hidden Shares (Windows NT/2000/XP)
When networking has been installed on a Windows machine, it will automatically create hidden shares to the local disk drives. It is possible to disable the sharing at run-time, but this tweak will stop the automatic sharing altogether.
http://www.winguides.com/registry/display.php/4/

Manage the Encrypting File System (Windows 2000/XP)
When you use Encrypting File System (EFS), you can store data securely because selected NTFS file system files and folders can be encrypted. This setting allows you to enable or disable EFS.
http://www.winguides.com/registry/display.php/1152/

Add or Remove Programs Restrictions (Windows 2000/XP)
These restrictions apply to the Add/Remove Programs feature of Control Panel. They allow you to entirely or individually disable components.
http://www.winguides.com/registry/display.php/1041/

Control the CD-ROM Autorun Function (Windows NT/2000/XP) Popular
Normally when you insert a disc into your CD-ROM drive, the contents are automatically launched. This tweak allows you to disable this behavior.
http://www.winguides.com/registry/display.php/6/

Restrict Access to the Windows Update Feature (All Windows)
The Windows Update feature allows users to easily update Windows components and software over the Internet. These settings allow can be used to grant or restrict access to this function.
http://www.winguides.com/registry/display.php/441/

Restrict Task Creation and Deletion (Windows 2000/Me/XP)
These settings allow you to restrict the creation and deletion of items in Task Scheduler.
http://www.winguides.com/registry/display.php/1078/

Prevent Access to the Contents of Selected Drives (Windows 2000/Me/XP)
This restriction prevents users from using My Computer or Explorer to access the content of selected drives. Also, they cannot use Run, Map Network Drive, or the Dir command to view the directories on these drives.
http://www.winguides.com/registry/display.php/1157/

Network Connection Restrictions (Windows 2000/XP)
These restrictions control access to the features and properties of LAN, RAS and other network connections.
http://www.winguides.com/registry/display.php/1047/

Enable Remote Assistance (Windows XP) -  :o) Don't use this setting!!!
The Remote Assistance feature is a convenient way for an administrator to remotely connect to a computer and with permission view the screen, move the mouse, use the keyboard and chat online.
http://www.winguides.com/registry/display.php/1213/

Check for Internet Explorer Updates (All Windows)
Internet Explorer 5 and higher has the ability to automatically check for software updates. This tweak controls that feature.
http://www.winguides.com/registry/display.php/784/

Configure Remote Access Client Account Lockout (Windows 2000/XP) New
You can use the remote access account lockout feature to specify how many times a remote access authentication has to fail against a valid user account before the user is denied access. Use this tweak to set the number of failed logins before the account is locked-out and the time before the lockout is reset.
http://www.winguides.com/registry/display.php/1270/

Hide the Last User Name (All Windows) Popular
This setting can be used to blank the username box on the logon screen. This will prevent people that are logging on from knowing the last user to access the system.
http://www.winguides.com/registry/display.php/1/

Secure Access to Floppy Drives (Windows NT/2000/XP)
This setting determines whether data in the floppy disk drive is accessible to other users.
http://www.winguides.com/registry/display.php/204/

Manage Floppy Access from Recovery Console (Windows 2000/XP) New
If this setting is enabled, a user has full access to all drives on the system and can copy files from the hard drive to the floppy disk when using the Recovery Console.
http://www.winguides.com/registry/display.php/1290/
 
Using Group Policy Objects to Hide Specified Drives in My Computer for Windows 2000
http://support.microsoft.com/?kbid=231289


----------------------- IF THE ABOVE SOLUTIONS DOES'NT WORK, THEN ------------------------------

HOWTO: Enabling Local Auditing Policies on Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;252412

HOW TO: Enable and Apply Security Auditing in Windows 2000 Server and Windows 2000 Professional:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549&sd=tech

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 4

Expert Comment

by:graemeboro
ID: 10662755
Another option is to install a 3rd party software product such as cyber patrol to limit Internet access or indeed block all www sites for that user account.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 

Author Comment

by:swabeui
ID: 10662801
I think I might have it solved it.  I have setup Internet Explorer to use a Proxy server and to bypass the server on local addresses as well as "certain" websites.  I set the proxy server to point to the local machine so if they try to go anywhere except for the places I have listed as "bypass" sites, they get an error.

On top of all that, I of course locked down the controls so they can't undo this little trick.  The user was mighty surprised at the effectiveness of the policy when I applied it to thier account today.

I am going to run some other tests to see if it is what I want, and if so I will award points, etc... at that time.

Thanks.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10662884
Use C:\Programs\Internet Explorer\iexplore.exe as user based custom shell

Implement a User Based Custom Shell (Windows 2000/XP)
http://www.winguides.com/registry/display.php/849/

Replacing the Microsoft Graphical Identification and Authentication DLL (MSGINA.DLL)
http://www.microsoft.com/windows2000/docs/msgina.doc
0
 
LVL 6

Expert Comment

by:DanniF
ID: 10676165
When I did my MCSE (which I did in a technical school) I implemented this on my final project by using a Shell as trywaredk already mentioned in the last post.

The page restriction I did with the help of ISA server 2000. My configuration logged the user out automatically if he closed Internet Explorer.

Hope this helps,

Daniel F.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10682599
:o) Glad I could help you - thank you for the points
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now