Solved

Windows XP Local Computer Policy...

Posted on 2004-04-18
24
1,348 Views
Last Modified: 2013-12-04
G'day everyone..

this is my problem. I have a machine, and i have a copy of windows XP. both only what i could afford... XP is a must (i'm poor)...

This machine is not a part of a network, it's stand alone...

I got 2 users on this machine, Administrator and Worker. Administrator be able to administrate (full access), and the Worker user must have pretty much hardly any access to anything (no start menu, no desktop icons, no ctrl+alt+del AND MORE!!)...

This is my delemma... ususally i would assign a policy to a group or a specific user, but as far as i know in Windows XP, i can only assign a "Local Computer Policy" on the computer, so WHOEVER logs on gets the same security settings..

That is not cool! I would like to know how i can get Worker user to have security settings, but the administrator must have full security settings...

Can this be done through a batch file, can a security policy be assigned to a user, is there any software out there to do this for me (LAST RESORT PLEASE!!!!!!!!!!!!!!)

Cheers a million!
0
Comment
Question by:undyshelts
  • 10
  • 6
  • 4
  • +1
24 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 125 total points
Comment Utility
LOCAL policy does not apply to administrators :) (by default)

Writing a LOCAL computer Policy

NOTE write the policy as the local administrator and leave the mmc on the administrators desktop to avoid locking your self down!

To open a local access policy window
Start > Run > type gpedit.msc

Basically there are two types of policy computer policy and user policy

Good info on policies and applying them to remote PC’s
http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/dsec/dsec_pol_dbyy.asp

Common tasks can be performed in the following locations

Internet Explorer Settings

Lock the homepage
User Configuration > Windows Settings > Internet Explorer Maintenance >Important URL’s
Lock the Proxy server
User Configuration > Windows Settings > Internet Explorer Maintenance >Connection > Proxy Settings

Logon & Logoff Scripts

Logon
User Configuration > Windows Settings > Scripts > Logon
Logoff
User Configuration > Windows Settings > Scripts > off

Password & Account Lockout Policies

Computer Configuration > Security Settings > Password Policy >
Computer Configuration > Security Settings > Account Lockout Policy >

Auditing Policies

Computer Configuration > Local Policies > Audit Policy

*****User rights assignment*****

Computer Configuration > Local Policies > User rights assignment

Change The Time
Windows settings >Security Settings >Local Policyes >User Rights Asignments >Change the system time


COMMON POLICIES AND WHERE TO FIND THEM

Don’t display last logon Name
Computer Configuration > Local Policies > Security Options > Do not display last user name in login screen (enable)
Stop users installing unsigned Drivers
Computer Configuration > Local Policies > Security Options > Unsigned Driver installation behaviour

REMEMBER save the MMC console on the Administrators Desktop!

HOW TO: Apply Local Policies to all Users Except Administrators on Windows 2000 in a Workgroup Setting
http://support.microsoft.com/?kbid=293655

0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
Well...

QUOTE

Sentinel is an interesting security utility you can use to apply very specific restrictions to files on your PC. It runs from the system tray, enforcing restictions you've imposed on selected files and folders. The specific security options are available from a new tab the program adds to the Properties dialog box you can access by right-clicking any file or folder in Explorer. You can log and/or deny access to any unauthorized user that attempts to open, read, and/or write to files, and you can deny access to the contents of selected folders. An available control panel allows you to toggle this functionality on and off, and turn it off for a specific period of time. Other features include stealth mode and logging support. Sentinel is a snap to use, and provides the power and versatility you need to protect your sensitive data files.
 
UNQUOTE
http://www.zdnet.com/downloads/stories/info/0,10615,49671,00.html

Windows Security Toolkit
QUOTE

Restrict Access to Passwords Settings, Restrict Access to Network Settings, Restrict Access to Display Settings, Restrict Access to Device Manager, Restrict Access to Hardware Profiles , Restrict Access to Virtual Memory Setting, Restrict Access to File System Setting, Restrict Access to Printer Setting, Restrict User from adding Printer, Restrict User from deleting Printer, Hide Printers General and Details Pages, Hide System Settings Control Panel, Restrict Access to Modem Settings, Restrict Access to Regional Settings, Restrict Access to Internet Settings, Restrict Access to Multimedia Settings, Restrict Access to Add/Remove Programs, Restrict Access to Power Management, Hide All items on the desktop, Remove Favorites Folder from the Start Menu, Remove Documents Folder from the Start Menu, Hide the task bar settings from the Start Menu, Remove Find Command from the Start Menu, Restrict changes to enabled Active Desktop, Disable use of Active Desktop Feature, Clear the recent Documents when Windows Exits, Disable Modification of Start Menu, Remove the Run Command from the Start Menu, Remove the Folders from the Start Menu, Remove the Help Option from the Start Menu, Disable File Sharing over the network, Disable Printer Sharing over the network, Hide Shared Passwords With Asterisk, Disable Save Password Option in DUN-NT, Don't display Username on logging in NT, Disable Caching of NT Domain Password, Hide Workgroup Content from Network Neighborhood, Remove Entire Network from Network Neighborhood,Fix DHCP Security Bug in Windows 9x/NT/2000 to stop hackers from accessing your system, Hacker Guard - Disables Hackers from using a modem to access the Internal Network, Disable MS-DOS mode in windows,   Disable use of real mode Dos Applications, Reset the Content Advisor and Ratings Password, Disable Internet Explorer Content and Ratings Advisor, Restrict User from changing Internet Explorer Advanced Settings, Restrict User from Accessing your personal profiles in Internet Explorer, Restrict User from Accessing Information from your Internet Explorer Wallet, Disable ability to run registry editing tools, Disable Windows Password caching ability, Restrict access to event logs in Windows NT and 2000, Disable use of Windows Hot Keys.

UNQUOTE
http://sensor.hypermart.net/winsecure.htm

SecureSuite
QUOTE
 
One software package supports the whole range of authentication methods, for your local machine or your domain. SecureSuite™ is an integrated software package that provides a suite of security applications for Microsoft Windows 98, Me, NT 4.0 and 2000. These applications include logon, file and folder encryption, a password bank utility, application execution control, and Entrust PKI support.

This suite of applications offers added security for users of Microsoft Windows 98, Me, NT 4.0 and 2000.

SecureLogon™ enhances the normal logon procedure for Windows, enabling users to log on securely and easily using one of the many authentication devices supported by SecureSuite.
SecureSession™ stores user name, password and other personal information for any Windows-based application or Web-based form, and releases it upon authenticating the user.
SecureFolder™ allows you to easily protect your files, folders and Web page bookmarks with strong encryption. The locking/unlocking of folders and encryption/decryption of files is activated by a SecureSuite-compatible authentication device.
SecureApp™ prevents unauthorized users from running Windows applications. Great for accounting software and databases that contain sensitive or confidential information.
SecureEntrust™ provides Entrust Technologies' Public-Key Infrastructure (PKI) support.
General Features
 
Five security programs in one suite: SecureLogon, SecureFolder, SecureSession, SecureApp and SecureEntrust
Compatible with Windows 98, ME, NT 4.0 and 2000 (see Detailed Features)
Increases the security and convenience of using a PC
Multiple authentication methods, including a combination of different methods
Support for workstation only and client/server systems
System and network can be administered from the server and/or client
"On-the-fly" folder and file encryption with "drag-and-drop" convenience
Interactive logon guides users with animation or video clips tailored to their profile
"Last User" support: the last user logged on to a computer need only place his/her finger on the scanner to log on again without hitting any keys
Locked screen saver can be activated at any time via the "Pause" key (where supported)
Maintains the "look and feel" of standard Microsoft Windows interface
Easy to use wizard-based installation, setup and enrollment
Customizable features including animation, logos, graphics, audio and visual feedback
Multi-language support
Biometric API (BAPI) standard compliant
 
UNQUOTE
http://www.iosoftware.com/products/consumer/

iProtect Offers Serious PC Protection
QUOTE

Upgraded software locks, encrypts, hides, and even shreds your files. But don't not forget your password.

To paraphrase an old saying, just because you're paranoid doesn't mean someone's not after you. Or your files.

Whether you are paranoid or just being cautious, a company called International Software Solutions wants to help. It offers a product called iProtect, a Windows-based software utility that can, with a couple of clicks, lock, encrypt, hide or shred files right on your desktop computer. iProtect keeps them confidential and prevents accidental deletion. "It's a good little tool for the end user," says Diana Kelley, senior security analyst at the Hurwitz Group.

UNQUOTE
http://www.rapidcontent.com/netscape/chn/990901.x.0.pcworld.p.a.serious.html

Steganos 3 Security Suite
QUOTE

02-23-2001 - The Steganos 3 Security Suite is a complete, easy to use security package. Steganos encrypts and conceals your data. The Steganos Safe is your secure hard drive, which disappears at the click of a button. Includes: Internet Trace Destructor, file shredder, e-mail encryption, password manager, and computer locking

UNQUOTE
http://www.steganos.com/en/

Winlock is now freeware
QUOTE
 
Major features of WinLock:
Lock Windows at system boot
Lock Windows at suspend
Lock, Suspend or Shutdown easily with once click
Powerful schedule Shutdown/Restart/Suspend system
Autosave applications on Shutdown time
Autorun saved applications when system start
Autorun any applications when system start
Advanced power management
Windows List with Show/Minimize/Maximize/Hide functions
Process list with Icon/ID/Type/Priority/Kill functions
Powerful administration tools

UNQUOTE
http://winlock.virtualave.net/

Panda Secure
QUOTE

ARMORED PROTECTION for desktop and laptop computers. If you share your computer with other users, if your children waste time playing computer games, if you store confidential data on your laptop... then you need Panda Security.

Panda Security is Panda Software's NEW Security program. With this software you will turn your computer into an armor-plated vault, preventing unauthorized operations and even data loss and theft (with hard disk encryption).

All the conceivable security threats that desktop and laptop computers may be subject to can be controlled through Panda Security. Benefit from a reliable, intruder-proof system thanks to its access control, login/logout, user ID and audit report features, which guarantee you total privacy at all times.

Panda Security allows you to:

 Restrict the use of your computers to specific users and time frames.
 Prevent the installation of inappropriate software (games, illegal applications, etc.).
 Block access to established configuration settings (Autoexec, Config, etc.).
 Protect specific files to prevent unauthorized operations (deletion, renaming, saving to a floppy disk, printing, etc.).
 Encrypt your e-mail messages and hard disk data.
 Control Internet and e-mail use.
 Keep track of exactly what is done on your computers.

UNQUOTE
http://www.softwareshelf.com/products/pandasecure.asp

Icon Lock-iT 2000
QUOTE

Icon Lock-iT 2000 gives you the flexibility to lock an individual file or the entire contents of a folder. The process is very similar with both functions. When locking the contents of a folder, you simply right click on the folder name rather than an individual file name and select "Lock Files".

As this screen shot indicates, multiple files are listed rather than one. As an added convenience, you can review the files to be locked at this time and selectively uncheck any files that you do not wish to lock.

UNQUOTE
http://www.iconlockit.com/lockfolders.htm

SecureUp
QUOTE

"SecureUp is the ultimate security system for your desktop, laptop and network computers. With this software you will turn your computer into a secured lock, preventing unauthorized operations and data loss. All the conceivable security threats that desktop, laptop and network computers may be subject to can be controlled through SecureUp. Benefit from a reliable, intruder-proof system and install it today. SecureUp=99 allows you to restrict the use of your computers, block access to established configuration settings such as Autoexec.bat, etc, lock all files to prevent unauthorized operations deletion, renaming, saving to a floppy disk, printing etc"

UNQUOTE
http://www.zdnet.com/downloads/stories/info/0,10615,77194,00.html

QUOTE

With Power Administrator, you can have absolute control over your computer's functions and restrictions. From blocking the access to certain folders or disabling programs of your choice, Power Administrator gives you the most out of your PC & network with incredible convenience. Whether you are a home user, business user, or network administrator, Power Administrator is designed around your needs, enabling you to perform a vast number of administrative changes with the click of a button.

UNQUOTE
http://www.web-monitoring-computer-spy-software.com/poweradministrator.html

QUOTE

The BestCrypt software products keep your private data in the encrypted form on the disk and provide you with the transparent access to it from any application program. Keep your letters, databases, private information in the encrypted form on a hard disk, removable medias, magneto-optical devices, CD ROMs, floppies and network disks - all within a standard operating system environment.

UNQUOTE
http://www.jetico.com/

Other considerations
http://www.fspro.net/hf/
http://www.scramdisk.clara.net/
http://www.e4m.net/
http://www.fortunecity.com/skyscraper/true/882/SecureTrayUtil.htm
0
 
LVL 7

Expert Comment

by:IceRaven
Comment Utility
Hi undyshelts,

Does this help?

http://www.lpt.com/windowsnetworking/regusers/wxppspol.htm

Cheers,
IceRaven
0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
In other words XP does have some nice security features overall but like Win2000 the best security and policy settings is done from a server OS like Win2000 or Win2003 servers. Other wise you need a little help.
0
 
LVL 1

Author Comment

by:undyshelts
Comment Utility
so far no answers have helped me unfortunally... i want to be able to disable the following in the Worker user ONLY

Disable start menu
Disable ctrl + alt + del
Hide all desktop icons
Remove A: and D:

Is this possible with Windows XP, if so can someone please give me some steps.. i'm sitting here now ready to test them out!
0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
>>>so far no answers have helped me unfortunally...

How can you say that? Did you check out what posted?
0
 
LVL 1

Author Comment

by:undyshelts
Comment Utility
PeteLong... i changed a setting each in Computer Configuration and User Configuration in gpedit.msc.. it applied it to the administrator! is there a step i need to do?
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
so you want to remove the start menu, and all the desktop icons, and the drives, what do you want the user to do look at their wallpaper?
0
 
LVL 1

Author Comment

by:undyshelts
Comment Utility
Yes i did check out what you posted... i don't even want to think about an application to do it for me, i'd like to stick with the tools included with Windows XP for the moment, UNLESS the tool is free, but STILL i want to do this with Windows XP some how... i looked at the URLs you posted me, but that dosn't show me how to:

Disable start menu
Disable ctrl + alt + del
Hide all desktop icons
Remove A: and D:

0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
Seems like what are looking for is a KIOSK type environment, is this correct?
0
 
LVL 1

Author Comment

by:undyshelts
Comment Utility
HAHA... thats it mate! well an application will start when the user logs in, and this application will be the only thing they use.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 1

Author Comment

by:undyshelts
Comment Utility
hmm... i'm not too sure what you mean by KIOSK environment... but all i gotta do is..

Disable start menu
Disable ctrl + alt + del
Hide all desktop icons
Disable access to A: and D:

ONLY FOR THE WORKER USER THOUGH!!! the administrator must have a start menu, desktop etc...

with the tools included with windows (if possible)...

0
 
LVL 1

Author Comment

by:undyshelts
Comment Utility
what version of windows 2000 do i need to be able to do the above? (remember i'm a poor man!), and how much will it cose (AUD if possible)...
0
 
LVL 7

Assisted Solution

by:IceRaven
IceRaven earned 125 total points
Comment Utility
As I understand it everything PeteLong said should work.  Local Policy that only applies to users, so maybe a question is, why is it applying to the Administrator Account?  What I origonally suggested only acceses the security policies which are a subset of the total policies that are accessed by gpedit.msc.  

PS what does MSC stand for MicroSoft Console?  or something?  

Is the problem something to do with the administrator also being a member of the user group?

Cheers,
Ice Raven.


0
 
LVL 1

Author Comment

by:undyshelts
Comment Utility
hey IceRaven...

i thought you were on to something there.. "Is the problem something to do with the administrator also being a member of the user group"... NICE THINKING.. but unfortunatly not nice enough..

The administrator is ONLY apart of the administrators group.. and it still applies settings to the administrator...

0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
>>>what version of windows 2000 do i need to be able to do the above?

The Server vesion and they aren't cheap. Not sure if they will do what you are looking for. My undestanding of what you want is not completely available in XP.
0
 
LVL 1

Author Comment

by:undyshelts
Comment Utility
can i make a logon script or a batch file to do the job?

is there any FREE software out there to do the job?
0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
>>>can i make a logon script or a batch file to do the job?

I suspect it can be done but disabling ctrl + alt + del can be a difficult thing to do. Why do you need these things? Don't look at XP or free solutions to do all of what you ask.
0
 
LVL 7

Expert Comment

by:IceRaven
Comment Utility
undyshelts,
It's 1am here man and it's work tomorrow what are you still doing up!

Ahh found it...

http://support.microsoft.com/default.aspx?scid=kb;EN-US;293655

Cheers,
Ice Raven.
0
 
LVL 7

Expert Comment

by:IceRaven
Comment Utility
So it looks like it applys to all users by default and you have to do that funky trick at the end to make to not apply to certain users.

Hey that is the same kb article that was already posted but I didn't read it until the bottom of the page... hmmm lazy me.

IceRaven.
0
 
LVL 1

Author Comment

by:undyshelts
Comment Utility
IceRaven... i got work tmorrow (or today rather too)... i just want to sort this out because i'm going to further test it at work (coffee will help me too..)

Thank you IceRaven... this is good stuff.. i will test this out tomorrow! thank you very much!
0
 
LVL 1

Author Comment

by:undyshelts
Comment Utility
no joke.. petelong posted that too... well you will both get points if it works
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
This video discusses moving either the default database or any database to a new volume.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now