Setting up restricted XP username

chump

I have XP pro and want to set up a second user account that is restricted to just certain things I allow.

I would like to have quite a bit of control as to what can be used.

Whats the best method and/or program to use to do this?

Rgds

zuma

This is pretty simple:

Control Panel-User Accounts
Under "Pick a task" select "Create a new account"
Type the name...click next.
Under "Pick an account type" select "limited"
Click "create accoun" then!

Pretty simple!

chump

Not really what I'm looking for zuma. I've done that, but
I only want them to be able to run maybe 2 programs, say IE and Mozilla...

I don't want them to have any access to programs I don't want, and only want them to have access to their own personal My Documents folder etc. etc...

It seems fairly complicated

djmarkus

I dont really know but i'll point you in the right direction, run gpedit.msc

chump

Looks like I have some reading up to do:

Pasted from http://answers.google.com/answers/threadview?id=515848

There is, in fact, a simple canonical native Windows solution to your
problem. I use it to set up Citrix thin terminals. And it uses all
the tools that already there in Windows XP.

1) Create two local users, an administrator (there by default, but
you'll have to set the password and log in at least once) and the user
you're going to have the IE desktop run under. I'll call that user
"public" for the sake of brevity. Make public a Restricted User.

2) Read up on Local Group Policies
(http://www.windowsdevcenter.com/pub/a/windows/2005/03/29/local_group_policy.html
and http://www.theeldergeek.com/group_policy_for_windows_xp_prof.htm).
Local Group Policy Objects allow you to lock down nearly every aspect
of a Windows XP box. This includes the ability to remove access to
the Task Manager, logging off, and various other ways of exiting the
currently running application. All the settings are extensively
documented within the Group Policy editor itself. There's an
extensive section just on IE, which should help you.

WARNING: DO NOT PLAY AROUND IN THE POLICY EDITOR UNTIL YOU ARE READY
TO ROLL OUT THE DESKTOP - you'll see why in a minute.

3) Specific things you can set in the Policy Editor (they're scattered
all over the place): Autologon as the public user (may require some
additional registry tweaks, see
http://www.winguides.com/registry/display.php/780/ and
http://www.chicagotech.net/winlogon.htm). This will automatically log
in public when the machine boots, and if anyone manages to log out
somehow, the system will log them right back in again.
: Set iexplore.exe as the shell for public. Most of the ways to get
out of an application are controlled by the Windows _shell_,
explorer.exe, not the kernel or the application. Set IE as the shell
for public and they won't get any of the application quitting options.
Make sure you find and set the "auto restart shell" Policy Object -
that way if someone kills the shell or crashes IE it restarts the same
way explorer does when you kill it in the Task Manager. See
http://blogs.msdn.com/embedded/archive/2005/03/30/403999.aspx
: Disallow any executables running except for the ones you want.
There's a Policy Object that allows black- and whitelists for
processes. This will prevent people from running things from the
shell (in this case, iexplore).

I'm sure you can find lots more. The GPO documentation is great; the
organization is not...

You may also want to look at more traditional methods of securing the
PC from network and file system access, using the various checklists:
http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm
http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/default.mspx

Since you're going to save yourself a lot of time with the GPO editor,
in lieu of screwing around with other OSes and software you don't
need, you can take some time to investigate the IEAK, which will let
you customize the dickens out of IE, including enforcing the
full-screen or "kiosk" mode.
http://www.microsoft.com/technet/prodtechnol/ie/ieak/default.mspx

4) Before you apply the Local Group Policy, READ THIS:
http://www.theeldergeek.com/gp07.htm
Outside of an Active Directory environment, any settings you put in
that GPO are going to affect _all_ the users, including the
Administrator! That will make it impossible to update or administrate
the PC. The trick in that web page will show you how to trigger the
restricted environment for public but _not_ for Administrator. (to
bypass the autologon to get to the logon prompt, hold down Shift while
the PC boots).

I've just rolled out thirty Citrix thin terminals using this method,
and no one's broken them yet :-)


ah gawd, dunno if i have it in me... too much learning. If any1 can break it down into a step by step guide I'd appreciate that...

Capt'n Midnight

google for kiosk xp firefox

chump

Thanks Capt' ... I'd also like them to have access to MS Word and a few allowd applications but have to start somewhere

monkeyfudge

In my internet Café I use 1st Security Agent

It lets me lock off everything I could possibly want on any User account in XP. And it very easy and straight forward to use.

chump

Ahhh..

http://www.dougknox.com/xp/utils/xp_securityconsole.htm

Dougs Security Console... Is it worth 10$ tho to get the functionality I want

chump

Got the full version of Doug's thing and seems to work great!

Thanks monkeyfudge for that proggie too. I might have a look at it if this doesn't seem to do everything I'm after...

monkeyfudge

chump wrote:

Got the full version of Doug's thing and seems to work great!

Thanks monkeyfudge for that proggie too. I might have a look at it if this doesn't seem to do everything I'm after...

Let me know how you get on. The Doug one is cheaper after all.

One problem I have with 1st Secuirity Agent is that it only allows you to lock out the internet options for IE.

It means I can't put Firefox on the computers as people would be able to get into it's internet options and increase the cache size... which is something that caused a problem for me before.

Syth

monkeyfudge wrote:

It means I can't put Firefox on the computers as people would be able to get into it's internet options and increase the cache size... which is something that caused a problem for me before.

Sorry to drag this off topic, but how is the cache size a problem for a net cafe?

chump

Hey monkeyfudge,

I'd imagine you'd have to delve quite deeply into group policy to be able to do anything regarding firefox, and even the I'm not so sure...

I'm surprised how easy it was to restrict access in general using that Doug program tho. Using it plus a little bit of Security Setting changes do the job...

Capt'n Midnight

chump wrote:

Thanks Capt' ... I'd also like them to have access to MS Word and a few allowd applications but have to start somewhere

in that case you can use Registry entries / policies to block off buttons on the start menu so they can only see those apps.

also look up mandatory policies, so they can't change their settings
- renaming ntuser.dat to ntuser.man IIRC

The problem is most Apps allow you to call up a program some how.
eg: In Outlook ( I use OO instead of M$Office ) New Email, Insert, browse to c:\windows\system32 and then Open cmd.exe :rolleyes:
- and Unlike word Outlook has an attachment filter...

monkeyfudge

Syth wrote:

Sorry to drag this off topic, but how is the cache size a problem for a net cafe?

One person paid to use the internet café, increased the cache size to the full capacity of the hard drive. Filled the cache up with porn sites and then told his (much younger) mates how access the sites in the cache without paying.

We don't actually have a staff member present at the internet café as it's pretty small with just 4 computers. So it all works on pre-pay system that won't allow access to the internet unless you type in the username and password that comes written on your reciept.