[Question] make restricted use

[telebak]

Hello

I am trying to make a user account that would not be able to use any application except the one i permit him and when i mean no application i mean neither media player, neither Microsoft games.... nothing but the application i want him to use.

This will be the only icon or program he could see as he opens windows!!!

Is this possible?

Please NOW in Microsoft Windows XP section, use [TAGS] in your topic's title.

See rules.

--Sonic

[jondercik]

make that program his shell.

[prp8683]

make that program his shell.

Software Restriction policies in Group Policy might work for you as well. Note that even making an app the shell for a user doesn't guarantee security if the application in question allows users to execute other programs and/or provides access to file open/save dialogs. (navigate to \windows\system32, type *.* in the name box, then find CMD.exe, right click and select Open. Instant command prompt, from which the user can alter the registry to set the shell to explorer and log out/in to get a full shell.)

If your app (or any apps it launches) use the standard file dialogs, you can use policy restrictions to prevent them from being misused.

1. Hide unnecessary drives from the shell using policy

2. disable shell context menus

3. Use policy to disable things such as the registry editor and command prompt.

4. etc... (play around with the settings under Administrative Templates in Group Policy. Note that setting Local User Policy on an XP box will affect ALL users on that box, but you can obtain the corresponding user-specific registry settings by opening c:\windows\inf\*.adm in notepad.)

[LLXX]

Remember that security is never perfect. It depends how far you want to go in applying these restrictions.

[jondercik]

I know its not perfect but its a start. Also, using software restriction policies can get nasty cant they? Doesnt he have to allow every other exe and dll that the program requires?

NTFS permissions would be a good idea too. Hmm what happens if you deny access to that account to task manager?

[prp8683]

I know its not perfect but its a start.

Of course. I merely point out that even supposedly novice users tend to be smarter in some cases than admins take for granted; just ask the IT director for any school district...

Also, using software restriction policies can get nasty cant they? Doesnt he have to allow every other exe and dll that the program requires?

True, though a blanket policy allowing *.dll would work; it's rather difficult to load an arbitrary DLL if you cant load an arbitrary EXE. (most apps don't use all that many .EXE files. Just make sure rundll32.exe and similar programs are blocked)

NTFS permissions would be a good idea too. Hmm what happens if you deny access to that account to task manager?

Quite true. Task manager can be disabled by policy, but for those apps that can't, blocking access to them for users who shouldn't use them is a good idea as well.