Need help to set up restricted use workstation (XP)

[Nolonemo]

I want to set up a computer so that only a single program can be accessed by the user, and there is no way for the user to browse the disks on the computer.

For example, in my local library, the public terminals are set up to run Internet Explorer. If you close IE, you end up a desktop with only the IE icon on it - there are no programs that can be run from the start menu, and the RUN feature of the start menu is disabled so you can't get to the disks or other programs that way.

There must be tutorials on doing this around, can anyone point me to one?

Thanks,

Nolo

[carbon_unit]

Will this do what you want? http://tinyurl.com/a8vdm

[Nolonemo]

carbon unit, that does everything I want except allow me to set up a white list of "permitted" programs the user can run. But with the proper build, that should work out OK.

Thanks...

[dsvochak]

It appears you want to set up "Software Restriction Policies"

You can set up the "white list" of permitted programs in Control Panel-->Performance and Maintenance-->Administrative Tools-->Local Security Policy-->Software Restriction Policies"

When you first navigate there, you'll get a screen that says "No policies defined" and tells how to create new policies. Follow the instructions, and you'll have "enforcement" "designated file types" "trusted publishers" and two folders "Security Levels" and "Additional Rules".

Under "enforcement", you have two choices to make.

In the "Security Levels" folder, set "Disallowed" as the default.

In the "Additional Rules" folder, right click, select "New Path Rule", browse for the program you want to allow and set the security level to "unrestricted".

I think this works. I tried to read the Microsoft tech bulletins about software restriction policies, but I got a headache. If this is wrong, will someone like jdhurst please correct any mistakes.

[Nolonemo]

I forgot to mention that this would be on an XP Home, not XP Pro machine. From my googling around, it looks like I can't set Policies like that on an XP Home machine. If I can, it will simplify things some, but I think I'll be OK with what's in the MS Shared Computer Toolkit carbonunit pointed me to.

[carbon_unit]

That toolkit really lets you lock it down tight.
Just create a limited user and you can remove programs from the Start Menu, remove the command line and restrict their access in My Computer so they cannot see any drives. That is what I did at the local library.
At the library they have a very limited Start Menu, a quick launch toolbar with the essential programs in it and a few desktop icons for some office templates. My Computer only shows the cd burner so they can burn and access cd's. I left the E:\ drive so they can use USB thumb drives.
I used a Centurion Guard system so they cannot make any changes to the hard drive and no viruses or spyware can stick, just reboot and it is clean again. Some of these computers have been in use for over three years by school kids every day and I never, ever get called to work on them...........Hmmm, I better knock that off or I will be out of business

[Hamid]

Search for InternetCafe billing/management applications. These applications are designed to do what you want. Basically what most of them do is that they replace the Windows SHELL (explorer.exe), disable TaskManager and all other means of running applications (example: Start+R)
The admin can define a list of allowed applications, and only specified applications can be run by normal users.

Just a note, it doesn't overwrite explorer.exe, it just modifies the windows registry so upon user logon the CafeBilling Application will be run insted of explorer.exe as the SHELL.

HTH,
Hamid

Edit: An example would be gameport http://www.softdepia.com/gameport_download_11910.html

[Nolonemo]

That toolkit really lets you lock it down tight.
Just create a limited user and you can remove programs from the Start Menu, remove the command line and restrict their access in My Computer so they cannot see any drives.

That should do the trick, I would think. One last question (to which I'll have the answer this weekend, but anyway...)

It wasn't clear from the toolkit documentation if I could prevent a user from right clicking on the desktop and creating a shortcut to explorer.exe from the context menu. I would think not, but....

[carbon_unit]

Yes, you can disable right click and many other things.

[Nolonemo]

carbon_unit, the MS application did the trick, though it took me a while to configure access just the way I wanted. Thanks again for all of your help.

[carbon_unit]

Glad to help.