Lock down XP workstation that is not part of domain

We have one user in the office that chronically muddles their workstation (Ms XP Pro) up to the point where a rebuild is needed every other month. We do not have a domain setup, or use active directory so how can I lock this workstation down so that the following can be accomplished.

1. Limited web sites user can access
2. prevent user from changing program interfaces (accidently moving toolbars, losing tabs, columns etc.. anything that can be moved, they will find a way to move it, lose it or break it)
3. Prevent user from installing anything
4. Prevent user from changing anything
5. Allow user access to specific programs and websites and nothing else.

Is this possible?
Who is Participating?
h11Connect With a Mentor Commented:
Look into steadystate this is the new microsoft program and it is free it will do everything you want and it is easy to setup up. I use it on over a hundred computers and it works great.


For one thing make sure the user is NOT given Local Administrator rights on the computer. Then use Local Policies to make some of the other changes you require.
Sounds like you need to modify the local security policy.  You won't be able to block websites though.

Go to Start | Settings | Administrative Tools | Local Security Policy and tweak away.
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

gpedit.msc will get you all the group policy settings.  Definitely do not give them admin rights make them a power user while they will be able to install some things it will prevent them from affecting major computer settings or files in system32 etc....preventing lots of malware, adware, spyware, viruses, and even just windows bugs, etc...

As for website blocking you can use content advisor built into Internet Explorer however if the person manages to download or install netscape or other browser then they will be able to get out to any site...Content advisor only blocks IE.  You could use the hosts file to block Internet access as well.  

The hosts file is located at C:\WINDOWS\system32\drivers\etc...or it might be C:\WINNT\system32\drivers\etc

In the file you will see localhost as the only entry.  There is a tab between and localhost
on the next line enter something like www.google.com with a tab between and www.google.com

From now on when they attempt to go to www.google.com it will direct them to which is a loopback address to the local PC.  It will take them nowhere.  It will never look in DNS as this is the first place it looks for addresses.  She will not be able to edit the file as she will not have admin rights.

For limiting web surfing to specific web sites, get the free IE URL Lock:

The advantage of using the hosts file is that it will work for any browser while a lot of the packages only work for Internet Explorer and then a user can install netscape, opera, firefox, etc....and they will have internet now.
chrisromanAuthor Commented:
Perfect, thank you!
Question about SteadyState.  It sounds very much like a product called "Deep Freeze"...My experience has been that with such a product you have issues because restoring your box to a working state can nullify windows updates, antivirus updates, can result in lost data, etc....  I'd like to hear if these issues are solved by the microsoft product.  I looked over their steadtstate site but couldn't find direct answers...to those questions.
We have it running on over a hundred computers and it receives all updates and antivirus updates with out a problem. As long as you do not use the disk protect all will work out of the box if you use disk protect you have to use a few scripts I found on the internet and modified them to meet my needs.  to get the updates to work.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.