further lockdown of limited account on winxp

[oystercatcher]

greetings,

I am supporting a small business with 3 winxp computers on copper dsl behind

a linksys router. One computer runs the primary business application a

database of sales, inventory and reporting. Another computer can access

the database via vnc. Although the database unit has had its problems, the

main issue is with the other two computers. After reinstalling winxp on both

units, I have set up limited user accounts on the machines. From my testing

it seems that the limited accounts can still download and install files, applications

etc. I would like to change the security on the limited accounts to block

any downloads via firefox or internet explorer. What information I have

been able to locate so far hasn't really worked (gpedit.msc) so I am

looking for detailed documentation if it is available.

Thanks for any help

[nitroshift]

I'm afraid that without a domain, further lock-downs are impossible.

[PC_LOAD_LETTER]

easiest method is to just freeze the machine state using steadystate(free) or deep freeze(paid)

it wont prevent someone from making changes but itll save you from having to undo them if they do.

[oystercatcher]

Thanks, I downloaded the documentation pdf for steady state and

appreciate the suggestion as had not heard of the product.

easiest method is to just freeze the machine state using steadystate(free) or deep freeze(paid)

it wont prevent someone from making changes but itll save you from having to undo them if they do.

[beats]

First, you can restrict users from installing software on one computer, by changing the permissions for the HKEY_LOCAL_MACHINE\SOFTWARE, HKEY_CURRENT_USER\SOFTWARE and HKEY_USERS\.DEFAULT\SOFTWARE registry keys. Run regedt32, and remove their Set Value and Create Subkey permissions in SOFTWARE. Change the Everyone group's permissions from Special Access to Read. Then, users in the group will have only Query Value, Enumerate Subkeys, Notify, and Read Control permissions.

Second, you can implement a local software restriction policy using Group Policy to block specific executables or msi files from being run on the target user machine. You don't need a Domain for this.

Third, you can block users from accessing the websites where they can download such software by configuring your firewall/proxy server (if those aren't available, you can use a HOST file).