• 0

Software to restrict access to Control Panel, IE, Explorer, Add and Remove,


Question

Dear All,

We've quite good number of Windows XP PCs that are running in a workgroup due to some legacy software requirements.

I need to restrict Access to certain things such as

Control Panel

My Computer (Explorer)

IE

CDRom

etc...

I remember using these kind of software long time back but I can't recall their names.

Can any one help me out

I know this can be done via either a registry change or gpedit... but since there are lots of PCs I'll prefer a software to do so

Kindly help

NOTE:

I need a free software if possible

Regards...

Basim

Edited by 3aFaReeT
Link to comment
Share on other sites

13 answers to this question

Recommended Posts

  • 0

Why don't you just move to AD vs a workgroup, then you can set group policy that all machines will get and you can lock down the machines as you want with a few clicks. No software to install, no scripts to run on each machine, etc.

If you were more specific on exactly how you want to lock it down, could point you to the exact settings you need to make. And could put together the script or .reg file to make the settings for you.

For example you don't want any access to Explorer at all? Keep in mind they could most likely just run cmd and get access to files, or many software programs file dialogs could be used to circumvent this type of lock down.

If you don't want them to use the Cdrom -- ie boot from, access while logged in - what exactly, you can turn off the cdrom in bios as extreme method of preventing access to it.

As to control panel - do you want to prevent specific changes they make in CP, or just not let them run it at all?

Link to comment
Share on other sites

  • 0

yes please give specifics, most of what you want can be done with local group policies, but domain group policies would be better as they can be user specific (user a is locked, user b is unlocked, user c has some user a restrictions but has some other user b unrestricted access...etc)....basically it is built into windows, and being that you are running windows xp you can use steady state.

http://download.cnet...4-11127965.html

http://www.microsoft...ls.aspx?id=4310

for windows 7 to replicate steady state features (this is a very good read for sys admins):

http://www.microsoft...s.aspx?id=24373

Link to comment
Share on other sites

  • 0

Dear all,

thanks for you reply.

I can't join these PCs to domain since they are running legacy application.

these PCs are computer name dependent and are there across all the 84 branches.

for example:

in each branch the PC names MUST start with this sequence

WS01

WS02

and so on

if I join PCs to our central domain I wont be able to repeat the same names in the other branch which will make the application fail.

I can't create a domain/child domain for each and every branch which would create a very complex setup

this branch application requires the user to have administrative privileges to run the application successfully

therefore I'm looking to lock down the windows (XP) as much as possible in order to avoid users from messing around with it.

you may suggest me better ways of doing it

from my end i thought to lock of all common resources from them

CDROM

Floppy

USB Storage devices

My Computer

CMD

Control Panel

RUN box

and so on

please suggest

and I really highly appreciate the people who tried to support :)

thanks

Link to comment
Share on other sites

  • 0

You could apply a local group policy to restrict these things. Then have the folder (%systemroot%\system32\GroupPolicy) that stores the group policy give the permission deny read for administrators group so it bypasses the group policy when an admin logs in. That works if you are running Windows XP Pro.

Link to comment
Share on other sites

  • 0

Dear all,

thanks for you reply.

I can't join these PCs to domain since they are running legacy application.

these PCs are computer name dependent and are there across all the 84 branches.

for example:

in each branch the PC names MUST start with this sequence

WS01

WS02

and so on

if I join PCs to our central domain I wont be able to repeat the same names in the other branch which will make the application fail.

I can't create a domain/child domain for each and every branch which would create a very complex setup

this branch application requires the user to have administrative privileges to run the application successfully

therefore I'm looking to lock down the windows (XP) as much as possible in order to avoid users from messing around with it.

you may suggest me better ways of doing it

from my end i thought to lock of all common resources from them

CDROM

Floppy

USB Storage devices

My Computer

CMD

Control Panel

RUN box

and so on

please suggest

and I really highly appreciate the people who tried to support :)

thanks

did you even look at windows steady state.....you can lock down the harddrive so that users can't make changes, you can pretty much make it idiot proof. there is your free suggestion that will do what you want. it is not recommended to use steady state in a active directory environment.

Link to comment
Share on other sites

  • 0

"this branch application requires the user to have administrative privileges to run the application successfully"

Sorry if I have local admin there is NOTHING you can do to the box that I can not undo.. You could prevent access to cdrom/usb etc in the bios and set a password which local admin does not have control over.

And sorry, there is not such thing as an application that requires Local Admin -- just work through what its doing and give that user the permissions the application needs, be registry keys, specific folders, etc. Giving users local admin to run an application is a shortcut to doing it correctly!

Other than that yea something like steady state would be your only option, but if the user has local admin there is prob a way to around its limitation. Steady State was designed more for public access type machines where user does not have local admin on the machine.

But I really would suggest you look into AD vs workgroups!!!

As to domains, how would 84 domains be complex in a forest?? The limit of 2003 is like 1200 domains in the forest.

I would say having to deal with workgroups would make the job much harder than having an Active directory to control users and computers with. Sharing resources between locations is no secure and easy because you have 1 central userbase of resource accounts, be it users or computers.

You say the application uses ws01 and ws02, etc.. So?? Why can you not use ws01 through ws25 in location 1, and ws26 to ws50 in location 2, ws51 to ws75 in next, etc. etc.?

Link to comment
Share on other sites

  • 0

there is nothing free that would allow to lock down a local admin. There are pay for tools.

http://www.horizonda...om/175608.ihtml

Technically though, in many cases with software like this and they have admin access they can boot into safe mode and disable the dll's and whatnot from running. The only other thing you can do is put on a software like an enterprise install of deepfreeze, the only way to unlock it is either by admin console or by a randomly generated token code this gets loaded at the windows bootloader level and requires a reboot to "thaw" to allow changes to be made or updates to be done.

Link to comment
Share on other sites

  • 0

We lock down the user. Make them a power users, then change the shortcut to the application they need to use and append it with "runas" and set it to save credentials. Run once, put in the admin password... voila. Success!

Link to comment
Share on other sites

  • 0

^ not really the proper way either, but its better than giving the user local admin. And takes 2 seconds to do, where tracking down the permissions some applications need and setting them correctly could take a bit. Its a suitable solution for crap software that was not written correctly.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.