Solved

Locking down Start-Run for public machines

Posted on 2007-04-05
6
257 Views
Last Modified: 2013-12-04
I work for a medical university, and we have a couple of student-use computer labs. We use Group Policies to keep students out of certain things on the computers, such as opening Control Panels, changing desktop backgrounds, etc.

One of the policies we had enabled was the "Remove Run menu from Start Menu" option (User Config/Admin Templates/Start Menu and Taskbar). However this has the added effect of also preventing users from accessing resources using UNC addresses in IE or Explorer. Which is a good thing, except we have found that this is preventing students from viewing videos streamed from a Microsoft Media Services server we have on campus for a Standardized Patient project. The web page students use for this app accesses videos using a MMS:// link, which seems to get blocked by the "Remove Run..." GP;  or it makes a UNC call at some other point, I'm not really clear on the inner workings of MMS, regardless I have tested and it works when the Remove Run is not set, doesn't work when it is set.

So it looks like we will have to not use the Remove Run setting. However now I'm concerned about what all students might be able to do if we give them this right back. We keep them from doing things like running Command Prompt, MMC, and Regedit using other GP's, but as I was experimenting I learned that Start-Run allows me to do a suprising amount of things, like open up Computer Management (compmgmt.msc), open up Admin Tools (control admintools), Event Viewer (eventvwr.msc), and I'm sure many other things I haven't thought of that we don't want our students playing with.

The Don't Run Specified Windows Applications GP seems like it might help (User Config/Admin Templates/System), however it only seems to work with .EXE files; any entries I put in for .MSC entries do not work correctly.

If anyone can point me to some other GP settings that might be helpful here, or suggest alternative ways to achieve what I need, I would be grateful.
0
Comment
Question by:mvogts
  • 2
  • 2
  • 2
6 Comments
 
LVL 27

Expert Comment

by:Tolomir
ID: 18858106
How about creating a guest account.

It has all important features disabled.

Use that instead. Of cause make sure, your video streaming / web browser is still working properly.

Tolomir
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 18858123
Description of the Guest account in Windows XP

http://support.microsoft.com/kb/300489

When you use the Guest account to log on, the following activities apply:
•      You do not require a password.
•      You cannot install software or hardware.
•      You cannot change the Guest account type.
•      You cannot create a password for the account.
•      You cannot change the Guest account picture.
•      You cannot access the applications that have already been installed on the computer.
•      You cannot access the files in the Shared Documents folder.
•      You cannot access the files in the Guest profile.
0
 
LVL 32

Accepted Solution

by:
r-k earned 500 total points
ID: 18858153
Maybe you can just hide the Run command by using the method described at:

 http://www.xp-tips.com/remove-run.shtml

But note that this is not foolproof bevause Win-R on the keyboard will still work for the clever user.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:mvogts
ID: 18859279
Guest account isn't an option. In the past we used generic accounts on the student use machines and had issues with "inappropriate" things showing up on them once in a while. We implemented individual accounts for each student (with Roaming Profiles) to introduce accountability for them into the mix.

That tip for an alternate method of removing the Run command looks promising, but I suspect that might be profile specific? It's something we could maybe set on the default profile on the machines. Have to look into that later on today.
0
 

Author Comment

by:mvogts
ID: 18860459
Looks like that setting works great and is easy to set. Whether we do it or not remains to be seen; the current thinking is that since we have students logging on as themselves, we have accountability if something does get jacked up. At any rate, thx for the info.
0
 
LVL 32

Expert Comment

by:r-k
ID: 18860477
Great. It should foil many of them. Thanks.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question