How to secure a W2K Pro standalone workstation from unauthorized changed in school environment

Given: Multiple W2K Pro workstations - Identical hardware
Peer-to-Peer network connected to Internet via Linksys router

I have 15 W2K Pro workstations that are going into a classroom at my Church. I want to secure these from unathorized changes, downloads, installs etc. Previously the students have been using Win98 SE with no real control at the PC or supervisory level. This has resulted in numerous programs being installed such as Kaaza, various search toolbars and plenty of Spyware as a result of the free program downloading.

I will be installing the following applications in addition to the W2K Pro Operating system which will be fully pattched via Windows Update:

Star Office Suite, e-Sword - a bible study app, Acrobat Reader 6, 7-Zip - a file compression utility, Panda Titanium Anti-virus 2004. I am also considering installing the following apps: Spybot Search & Destroy, Spyware Blaster, Spyware Guard and a Popup blocker from www.endpopups.com to help keep systems clean.

I want to lock these systems down tight to prevent the students from destroying them as they have done in the past.

Here are some of the things I see as being necessary:
1. Prevent the students from downloading and installing anything from the internet to these systems.
2. Disable MSN Messenger, Yahoo, etc. file downloads
3. Deny access to Control Panel
4. Prevent access/change to TCP/IP settings
5. Disable messenger service popups
6. Prevent file sharing betwen systems.
7. Prevent any unauthorized changes to the system
8. Deny use/access to Hotmail, Yahoo Mail etc on SOME systems but allow on others.
9. Disable Run command window.

So, where do I start?

Is there a way that I can configure one system and then Ghost the drives?
I realize that I'll have to rename the individual PC's after ghosting them if I do it that way.
What tool should I be using and are there any templates that allow for these restrictions?
All students are using the same password as these are "public" PC's and share a common networked printer.

Have I missed something?

Thanks,

Dave




AbacustechnologiesAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
mikeleebrlaConnect With a Mentor Commented:
1.  have them log in as users,, this will prevent them from installing any software
2.  if you dont have any messenger programs installed then the students can run them,, step one takes care of them installing them.
3. can be done by the gpedit.msc snap in
4. done by step 1
5.  disable the messenger service in services
6. disable file and print sharing on the network card properties
7. mainly done with step 1... but they will still be able to change whatever files they have access to,, so disable access to whichever files you dont want them to edit
8.  edit the hosts file to point www.hotmail.com mail.yahoo.com etc etc to 127.0.0.1
9.  remove their read permissions from the cmd.exe file
0
 
wtp_isscCommented:
Editing the local security policy will allow you to succeed in some of your tasks.  You can then export the policy and import it into the rest of them.
0
 
balmasriCommented:
Are they Workgroup or Domain.It's better to be domain:
On a Domain Controller install ISA Serevr, There you can configure internet settings.
Configure a computer group policies and puplish them .
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.