Locking down Start-Run for public machines
Posted on 2007-04-05
I work for a medical university, and we have a couple of student-use computer labs. We use Group Policies to keep students out of certain things on the computers, such as opening Control Panels, changing desktop backgrounds, etc.
One of the policies we had enabled was the "Remove Run menu from Start Menu" option (User Config/Admin Templates/Start Menu and Taskbar). However this has the added effect of also preventing users from accessing resources using UNC addresses in IE or Explorer. Which is a good thing, except we have found that this is preventing students from viewing videos streamed from a Microsoft Media Services server we have on campus for a Standardized Patient project. The web page students use for this app accesses videos using a MMS:// link, which seems to get blocked by the "Remove Run..." GP; or it makes a UNC call at some other point, I'm not really clear on the inner workings of MMS, regardless I have tested and it works when the Remove Run is not set, doesn't work when it is set.
So it looks like we will have to not use the Remove Run setting. However now I'm concerned about what all students might be able to do if we give them this right back. We keep them from doing things like running Command Prompt, MMC, and Regedit using other GP's, but as I was experimenting I learned that Start-Run allows me to do a suprising amount of things, like open up Computer Management (compmgmt.msc), open up Admin Tools (control admintools), Event Viewer (eventvwr.msc), and I'm sure many other things I haven't thought of that we don't want our students playing with.
The Don't Run Specified Windows Applications GP seems like it might help (User Config/Admin Templates/System), however it only seems to work with .EXE files; any entries I put in for .MSC entries do not work correctly.
If anyone can point me to some other GP settings that might be helpful here, or suggest alternative ways to achieve what I need, I would be grateful.