EnvisionTech
asked on
Locked down user account for visitors?
We are currently running a windows network with a Small Business Server and roughly 30 WinXP workstations. There about 20 users that are spend the majority of there time offsite and come in 3-4 times per week to submit reports, check email, etc. Each user has their own login, but they share a group of 4 computers in a common area. The office also has an astaro firewall at the front end and all internet activity is passed through the content filter on the box.
I have been asked to setup a user account which can be used to access the internet on these 4 "shared" computers. They only want the account to be able to run Firefox and surf the net, check webmail. The user should not be able to download anything.. The user should not be able to see or make any changes to the system or anything on the network.
I'm assuming that the best way to do this is to create a new user account on the small business server, and then lock it down via group policy. Can anyone confirm if this is the way to go about it and if not, please advise on the alternative?
If group policy is the way to do it, can anyone suggest on what the settings should be or point me to a good resource?
I have been asked to setup a user account which can be used to access the internet on these 4 "shared" computers. They only want the account to be able to run Firefox and surf the net, check webmail. The user should not be able to download anything.. The user should not be able to see or make any changes to the system or anything on the network.
I'm assuming that the best way to do this is to create a new user account on the small business server, and then lock it down via group policy. Can anyone confirm if this is the way to go about it and if not, please advise on the alternative?
If group policy is the way to do it, can anyone suggest on what the settings should be or point me to a good resource?
Do you have ISA installed?
If not you can keep these machines of the domain and they will still have access to the internet.
Olaf
If not you can keep these machines of the domain and they will still have access to the internet.
Olaf
You should first be aware that Firefox is not easily managed via Group Policy. Therefore, you should only allow IE to be used on your network.
You can create users in a "Restricted" Security Group, and then the workstation itself should be run in Kiosk mode. Alternatively, you can just add the computers outside of the domain and outside of the LAN, in a DMZ, remove the hard drives and just run a CD-Based Operating system which will keep most everything safe. Check out http://www.livekiosk.com/
Jeff
TechSoEasy
You can create users in a "Restricted" Security Group, and then the workstation itself should be run in Kiosk mode. Alternatively, you can just add the computers outside of the domain and outside of the LAN, in a DMZ, remove the hard drives and just run a CD-Based Operating system which will keep most everything safe. Check out http://www.livekiosk.com/
Jeff
TechSoEasy
You also might want to check out Doug Knox's XP Security Console, www.dougknox.com/xp/utils/xp_securityconsole.htm . I use it to lock down "community" workstations.
ASKER
Thank you all for the responses. These are all good but they might not be quite right for the situation. The workstations in question will also be used by legitimate employees of the company who will need to access the network as needed. So DMZ and Kiosk would not appear to be an option (unless I'm missing something). The security console looks great, thanks for the pointer (it will come in handy for some of my other clients), but these machines will be on the domain and Group Policy will be available.
So any further thoughts on what my best options may be?
Thanks in advance.
So any further thoughts on what my best options may be?
Thanks in advance.
Just want to be clear what you want to achieve. You want these four workstations to act as normal workstations except when twenty or so specific users use these workstations. When these specific users use these four workstations, you want them locked down for the most part. However, when these users are away from the office and logging in remotely? or maybe logged in at a different workstation, you want their user accounts to act like everyone elses?
ASKER
Essentially what we have is 4 workstations being used by about 20 office users. Each of these users has their own login and can access data on the server, get email, surf the net, etc. These workstations are all on the domain, with a Win Small Business Server 2003 as DC.
However, the office also occasionally gets visitors that are not employees. The management would like to allow these visitors to use these 4 systems to surf the net and maybe do some basic word processing and printing. They want to ensure that these guests don't do any damage to the workstations and the infrastructure. So I'm looking at creating a locked down "guest" login for these visitors that is fully locked down and can only do those things.
Thanks for you help.
However, the office also occasionally gets visitors that are not employees. The management would like to allow these visitors to use these 4 systems to surf the net and maybe do some basic word processing and printing. They want to ensure that these guests don't do any damage to the workstations and the infrastructure. So I'm looking at creating a locked down "guest" login for these visitors that is fully locked down and can only do those things.
Thanks for you help.
Set up a new security group and create a bunch of gpo's assigned to that group.
Olaf
Olaf
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That was my very first suggestion.
There is not a better way around it?
There is not a better way around it?
You could just have the "locked down" guest login be to the local machine instead of logging into the domain. They would still have Internet Access, but would not have ANY permissions for domain resources.
Just create a local user account on those workstations.
Jeff
TechSoEasy
Just create a local user account on those workstations.
Jeff
TechSoEasy
Jeff,
Could you just activate the built-in Guest account? Would that accomplish the same thing? I've never really thought about it.
Could you just activate the built-in Guest account? Would that accomplish the same thing? I've never really thought about it.
Yeah, it would. I always ignore that account so I didn't think to suggest it. But it would be just fine for this purpose.
Jeff
TechSoEasy
Jeff
TechSoEasy
ASKER
Thanks so much for your help people. Looks like I was on the right track with the locked down user account. Now the (newly increased) 400 point question is what Group Policy settings I should be looking at to effectively lock down this user. Is there any guidance available for this?
The local account is a bit of a tougher sell as the firewall at the perimeter is setup to only allow specific Active Directory accounts through to the internet, and has some finely tweaked content filtering rules based on active directory group membership.
The local account is a bit of a tougher sell as the firewall at the perimeter is setup to only allow specific Active Directory accounts through to the internet, and has some finely tweaked content filtering rules based on active directory group membership.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks to everyone for their help. I split the points between a couple of the most useful comments.
then add the users to the group.
That would be a better approch.
Vico1!