Solved

Locking down Start-Run for public machines

Posted on 2007-04-05
6
252 Views
Last Modified: 2013-12-04
I work for a medical university, and we have a couple of student-use computer labs. We use Group Policies to keep students out of certain things on the computers, such as opening Control Panels, changing desktop backgrounds, etc.

One of the policies we had enabled was the "Remove Run menu from Start Menu" option (User Config/Admin Templates/Start Menu and Taskbar). However this has the added effect of also preventing users from accessing resources using UNC addresses in IE or Explorer. Which is a good thing, except we have found that this is preventing students from viewing videos streamed from a Microsoft Media Services server we have on campus for a Standardized Patient project. The web page students use for this app accesses videos using a MMS:// link, which seems to get blocked by the "Remove Run..." GP;  or it makes a UNC call at some other point, I'm not really clear on the inner workings of MMS, regardless I have tested and it works when the Remove Run is not set, doesn't work when it is set.

So it looks like we will have to not use the Remove Run setting. However now I'm concerned about what all students might be able to do if we give them this right back. We keep them from doing things like running Command Prompt, MMC, and Regedit using other GP's, but as I was experimenting I learned that Start-Run allows me to do a suprising amount of things, like open up Computer Management (compmgmt.msc), open up Admin Tools (control admintools), Event Viewer (eventvwr.msc), and I'm sure many other things I haven't thought of that we don't want our students playing with.

The Don't Run Specified Windows Applications GP seems like it might help (User Config/Admin Templates/System), however it only seems to work with .EXE files; any entries I put in for .MSC entries do not work correctly.

If anyone can point me to some other GP settings that might be helpful here, or suggest alternative ways to achieve what I need, I would be grateful.
0
Comment
Question by:mvogts
  • 2
  • 2
  • 2
6 Comments
 
LVL 27

Expert Comment

by:Tolomir
Comment Utility
How about creating a guest account.

It has all important features disabled.

Use that instead. Of cause make sure, your video streaming / web browser is still working properly.

Tolomir
0
 
LVL 27

Expert Comment

by:Tolomir
Comment Utility
Description of the Guest account in Windows XP

http://support.microsoft.com/kb/300489

When you use the Guest account to log on, the following activities apply:
•      You do not require a password.
•      You cannot install software or hardware.
•      You cannot change the Guest account type.
•      You cannot create a password for the account.
•      You cannot change the Guest account picture.
•      You cannot access the applications that have already been installed on the computer.
•      You cannot access the files in the Shared Documents folder.
•      You cannot access the files in the Guest profile.
0
 
LVL 32

Accepted Solution

by:
r-k earned 500 total points
Comment Utility
Maybe you can just hide the Run command by using the method described at:

 http://www.xp-tips.com/remove-run.shtml

But note that this is not foolproof bevause Win-R on the keyboard will still work for the clever user.
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 

Author Comment

by:mvogts
Comment Utility
Guest account isn't an option. In the past we used generic accounts on the student use machines and had issues with "inappropriate" things showing up on them once in a while. We implemented individual accounts for each student (with Roaming Profiles) to introduce accountability for them into the mix.

That tip for an alternate method of removing the Run command looks promising, but I suspect that might be profile specific? It's something we could maybe set on the default profile on the machines. Have to look into that later on today.
0
 

Author Comment

by:mvogts
Comment Utility
Looks like that setting works great and is easy to set. Whether we do it or not remains to be seen; the current thinking is that since we have students logging on as themselves, we have accountability if something does get jacked up. At any rate, thx for the info.
0
 
LVL 32

Expert Comment

by:r-k
Comment Utility
Great. It should foil many of them. Thanks.
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Suggested Solutions

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now