INF: How to Protect Windows NT Desktops in Public Areas (143164)



The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Workstation 4.0

This article was previously published under Q143164
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SUMMARY

In certain environments it is necessary to prevent workstation users from harming the system. For example, you may want to limit the number of applications a user can use.

This article shows you how to protect a workstation intended for use with Internet Explorer 3.0. Most of the procedures in this article also apply to other applications.

For more information about how to make desktops secure, click the URL below to view the Microsoft Web site:

MORE INFORMATION

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
To protect a workstation that will be used with Internet Explorer:
  1. It is recommended that the use works with the guest account. You should not allow password changes for this account. Do not allow a local shutdown procedure (either using User Manager (Policies/User rights) or the Local Security Policy Snap-In). You must also format all local drives in NTFS. To complete steps 7 and 9, the workstations must be a member of a domain. For other stpes that instruct you to edit a policy, it is easier to run the policy if the computer is a member of a domain and the user account is a domain account.
  2. Replace Explorer.exe as a shell with Internet Explorer. Make sure to place the full path to Iexplore.exe in the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon : Shell

    For other programs, place the main executable file or a startup program in this place. For Windows 2000 and later, you should use the "Custom user interface" policy under User Configuration/Administrative Templates\System in the Group Policy Editor.
  3. Change permissions for %Systemroot%\System32\Taskmgr.exe so that the guest account does not have any privileges for this file (no access). When you do so, the use cannot run Task Manager from the security dialog box. For Windows 2000 and later, you can use th "Disable Task Manager" policy setting under User Configuration\Administrative Templates\System\Logon/Logoff in the Group Policy Editor.
  4. Rename the administrative account and specify a strong password so users have difficulty gaining access to it.
  5. Use AutoAdminLogon so only experienced users know how to specify a different name for logon (hold shift while logging off). Even if they manage to get to the logon dialog box, they still have to know about an account.
  6. Disable ShutdownWithoutLogon. It is also located in the Winlogon key mentioned earlier.
  7. Create a default System Policy that only allows Iexplore.exe to run, and then place it on the NETLOGON share of all the domain controllers. The Netlogon share is located in Default User Properties, System\Restrictions\Run only allowed Windows programs. Instead of Iexplore.exe, you can also specify the programs of your choice. The main executable file or that startup program (that is specified in step 2) does not need to be run as part of this set. For Windows 2000 and later, use either the Do not run specified Windows application policy setting or the Run oly allowed windows applications policy setting for the user in User Configuration|Administrative Templates\System.
  8. Enable all policy restrictions in Shell\Restrictions so that the user only sees the computer and files to be saved end up in the %Systemroot%\Profiles\<user>\desktop directory.
  9. You can also restrict access to %Systemroot%\Profiles\<user>\desktop so that the user only can read files from there. This is the only folder that the user will be able to see if you checked all items in step 8.
With Internet Explorer 3.0 you can prevent the user from seeing the Address Toolbar and thus prevent the user from manually entering URLs. To do this, perform the following steps:
  1. Remove the address toolbar in Internet Explorer. Click View, click Options, click the General tab, and then click the option to remove the address toolbar located in the bottom half of the dialog box.
  2. Start Registry Editor (Regedt32.exe). In the HKEY_CURRENT_USER window, open the key

    Software\Microsoft\Internet Explorer\Toolbar

  3. With the focus on Toolbar, click to select the menu item Security\Permissions. Make sure that the guest account is only allowed to read the key.
When you open the dialog box in Internet Explorer, you will be shown the wrong settings but changes will not take effect. It may be possible to do similar things with other registry keys of Internet Explorer, but only the key mentioned in Step 2 above was tested for this article.

Modification Type:MinorLast Reviewed:5/30/2003
Keywords:kbhowto kbinterop KB143164