Windows 2000 Professional setup for 40 identical users on one workstation without a domain.

I need to set up 40 identical users on a Win 2000 workstation that has no domain.  This workstation will eventually be ghosted to about 20 additional machines in a middle school environment.  Here is what I need:

(1) Users should have no priveleges to install software or make major changes to the machine. (USER / GUEST)???
(2) All users will have the same wallpaper, favorites, screensaver, desktop, home page ,etc.
(3) It is extremely important that the user has no power to change the wallpaper, favorites, screensaver, desktop, home page ,etc.
(4) I would prefer not to use "protection" software like Fortres or Foolproof unless it is absolutely necessary
(5) Every user will use "My Documents" to save their individual work, hence I believe a mandatory profile can not be used.  No solution which wipes the user Documents and Settings folder is acceptable.
(6) I'm looking a solution that doesn't require a ton of copying and pasting stuff in the Documents and Settings folder.
(7) If there are any small W2K utilities that perform this task that would be ideal.

In addition,  I am open to any software that is ideal for a middle school classroom environment where students are limited to make the changes I specified in (3), but still giving students power to "explore".  The more detailed a solution, the more likely I will be to give away the points to one unique expert.  Thank you for your help.
Who is Participating?
dlwyatt82Connect With a Mentor Commented:
Many of the previous comments clearly did not read jschreiber's requirements - he plans to have 40 individual user accounts (with separate My Documents folders, each secured against access by other users).

jschreiber, I would recommend the following steps:

First, modify the default permissions on your drives. On a Windows 2000 Professional PC, odds are they are set to Full Control for Everyone by default. To change this, log on as the Administrator account and perform the following steps:

1) In My Computer, Right click on your C:\ drive, select Properties.
2) Click the Security tab.
3) Click Add
4) From the list of available users or groups, select the group named "Users", click Add, and click OK.
5) This new entry should have "Read&Execute", "List Folder Contents", and "Read" permissions checked by default. Leave these settings.
6) Click Add again.
7) This time, select the Administrators group.
8) Allow Full Control for Administrators.
9) Highlight "Everyone", and click Remove.
10) Click OK.

This will secure the hard drive from tampering and prepare for the steps which follow. At this point, you should verify that each user profile in "c:\documents and settings" still has the correct permissions (The Administrators group, possibly the SYSTEM account, and each individual user should have Full Control rights to their own profile folder. The Everyone and/or Users grops should NOT be present in the Access Control List for profile directories within Documents and Settings).

Next, configure Group Policy to enforce the system settings you mentioned, as follows:

1) Select Run from the start menu, and type "gpedit.msc". This opens the Group Policy MMC snap-in.
2) Configure the policies you want to enforce - the types of policies you described (Internet Explorer options, Desktop wallpaper, etc) can be found in the Administrative Templates section under User Configuration. Experiment with these a bit to get a feel for what you would like to configure via Policies. Feel free to post more questions about Group Policy here if you would like some more info.

Now, you are ready to create the user accounts for your students. When creating these accounts, make sure they are only members of the Users group. They will automatically have a profile directory created which gives them a My Documents folder which only they (and you, as the system Administrator) have access to.
jschreiber69Author Commented:
Sorry privileges was misspelled. I'm not an English teacher, thank God.
all you need is to create user account. as user you have privileges on My Documments older but you can not install programs, mess around control panel, or change desktop settings.
I order to fine tune all security settings you can use Security policies.
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

you need domain environment, install win2K on any PC and make it Domain controller by Dcpromo
add PCs to new domain and create users
add domain users (or the users you created) into power users group on PCs.
and make restriction by using default domain policy. (start-programs-admin tools - default domain policy)
Nabeeh ElDarderySenior Team Leader, Global Office ITCommented:
Kindly find my comments for your points

(1) when creating the user accounts, do not add them to any group, just leave them with the default group (Users) to prevent them from installing any software
(2) logon with normal account and configure all your desktop settings (wallpaper and so on) + Redirect My Documents Folder to another location using %user_name% variable  
then logon with another acount to copy the first Profile under documents and settings to All Users Profile (All users will have the same desktop settings) then rename the file under C:\Documents and Settings\All Users\NTUSER.DAT to NTUSER.MAN (Mandatory Profile)
(3) Yes, the use can not change the desktop settings
(4) No protection software
(5) Everyone should has his own My Documents folder
(6) no copying of profiles
(7) Mentioned steps is the tool

jschreiber69Author Commented:
Eldardery,  in your step (2), if I redirect My Documents Folder to another location, where can I put it so other users can not access it and keep it secure (no students from 3rd period copying 1st period work)?   If you can explain your step (2) as detailed as possible (remember I have no domain)  and it works, I will award you the points.  Thanks.
if you create simple user (restricted) it will have his own My Documments folder. I don't understand why should he redirect this folder to another location.
He only needs to create user account and that should be enough. everyone will login to this account and work in it. only thing he should do is to disable shutdown/restart to that account to prevent booting with another OS (knoppix). if that is enabled for user profile nothing will prevent someone to boot from CD and take control of computer with another OS.
One other area you'll want to view in the Group Policy snap-in is User Configuration -> Windows Settings -> Internet Explorer Maintenance. This is where you can configure policies to enforce Favorites, Home Page, etc (in the URLs section).
All Courses

From novice to tech pro — start learning today.