Solved

How can I totally secure a pc so a user can only run 1 program

Posted on 2004-10-25
166 Views
Last Modified: 2013-12-04
Hello,

I would like to secure a pc (running windows xp pro) so a certain user can only run 1 game.
So he shouldn't do anything else on the pc.
Can I use local security templates?

He shouldn't access the registry, the c-drive, .... nothing.

When he exits the game, he should only see the desktop with the game icon... .
He shouldn't even be able to access the start button.

How can I do this pls?

ps, the user HAS access to the keyboard and mouse ...
0
Question by:T-Quest
    7 Comments
     
    LVL 10

    Accepted Solution

    by:
    Hi T-Quest,
    Well, all right, you need to use group policy. If you only want to do this on the local machine, do this. Start>Run>MMC. Then once you are in the console click "Console">"Add/Remove Snapin">Add>Group Policy. Then hit ok. From there go to User Configuration>Administrate Templates. There you will find all the things you need. You can put a shortcut to the game on his desktop and remove EVERYTHING, including the start menu and ability to right click on the desktop or use keyboard shortcuts to access the "run" menu and all that.

    Next, go to %systemroot%\system32\GroupPolicy , and go to the permissions of that folder and DENY the Administrators "read" access to that folder and anyone else you DO NOT want to be "locked down." Or else the same thing will happen to you!

    Cheers!
    0
     
    LVL 10

    Expert Comment

    by:dis1931
    Not possible on an XP Pro PC unless joined to the domain.  At least not with any built in functionality of XP, there may be a third party app that does this but I am not aware of any.  If it was joined to a domain a Group Policy could be created allowing access to only the game and denying access to anything else.  So clicking on any other program would cause an access denied message to appear.  This could be combined with hiding icons, and editing the start menu therefore providing few if any choices for the user to even see and none that will work.  However on a local XP Pro implementation setting a group policy will affect all users including the admin and cause irreversible problems....so setting access to only one program will mean that even the admin will only be able to access this one program as well.

    This can also be done through terminal services but this is as well a server side implementation.

    Dis
    0
     

    Author Comment

    by:T-Quest
    Hello NA,

    Thx for the very good answer.
    I do have one more problem though ....

    When I disable read access for the admins, it doesn't have any affect.
    I can't open the group policy anymore, because I denied read access, so that is ok.... but the group policy is STILL applied to the admins!
    So when I logon as admin, I have restrictions .... what can I do about this?
    0
     

    Author Comment

    by:T-Quest
    already found it... I was doing fast user swicthing instead of logging of administrator .....
    0
     
    LVL 10

    Expert Comment

    by:dis1931
    ?Does denying read access to that folder work?  If a change needs to be made will he have to change permissions and then run gpedit.msc...and then change the permissions back again?  I didn't know this was possible but would suggest that you be careful as you can very easily lock yourself out if you forget to edit permissions or otherwise....though i do like the workaround...sure it will come in handy

    Dis
    0
     
    LVL 10

    Expert Comment

    by:NetworkArchitek
    No, it works fine. Yes, if you want to edit it you have to go back and change the permissions but you will not be editing it that often. You retain ownership, you simply deny yourself read and read&execute access.
    0
     
    LVL 10

    Expert Comment

    by:dis1931
    Nice....I wish I had thought of that a while ago....lol...It would have come in handy

    Dis
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
    Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
    This video Micro Tutorial is the second in a two-part series that shows how to create and use custom scanning profiles in Nuance's PaperPort 14.5 (http://www.experts-exchange.com/articles/17490/). But the ability to create custom scanning profiles a…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    877 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now