Limited Function Workstations

I need to set up 48-72 Windows workstations with very limited abilities. They need to be able to access a Web browser, which will only connect to an internal system, not the Web. I assume that's taken care of server-side.

But, I don't want them to be able to change their browser preferences either. That is, they can't be allowed to save passwords or manage cookies. Any suggestions?

hmm.. I know the local library uses a customized web browser for their web browsing only machines.

look into what libraries use.

Maybe if you did enough research and found a linux build that is already setup like this, or you can do your own tweaking.

think of the money you'd save your company on 48-72 Windows Copies.

I'll look into that really quick

Well, for Win2k server, and win2k client

What you will need to do.

Setup a domain controller if you don't already have one, and have active directory setup (window2k serveR)

Make a "special" group for these people, I believe you can set it to have ONLY explorer come up, and you will be able to set it to ONLY surf the intranet (look at your tools>internetoptions>security for reference) I don't think this should be to hard to do, but I WOULD setup a new computer for testing ASAP and start setting up your group policy and beta test the hell out of it until you think you are satisfied.

Then you can do your rollout, you could also assign a subnet or two JUST for those computer so you could monitor the logs just a little bit easier.

Hope that helps.

Thanks fin. I'd love to use Linux clients, but that's not an option. The primary (survey) software being used on these workstations requires Windows.

The servers, however, will be Linux. It will be connecting to one surver to run the survey software. The second, which requires the Web browser, is going to be a Linux box with Cold Fusion and mySQL. I'm basically writing a payroll program in CF, and all the workers will log on to "punch in", sing out, go on breaks, etc.

Very cool, I actually thought of doing that awhile back to save people money on the crappy time systems that are used.

What would be very cool is if you can integrate some kind of auth system

(Using a magnetic read card, etc.,)

I guess they will all be given a account name and password as well to log on.

And with that, what about the other people that use computers for more than that?

(word, etc.,)

Are you just going to leave their access be and provide them with the intranet link for signin/out

This is for operator stations within a telephone survey call center, so nobody will use the machines for anything else.

Correct, re: the link. In fact, it will be a whole little control panel. In addition to basic sign-in and sign-out functions, they can also switch projects (all time has to be billed to a specific project). We'll also be able to show them how many hours they've worked for that pay period, how their production compares to that of their peers, make schedule requests, etc.

Cool little project, I wish I could get paid to do little stuff like this.

Airforce needs to send me to some network security training instead of having me work on the old school stuff. At least I am getting pretty good electronics experience outta the way.

By the way, I think there is a way to set it where only a webpage to where you direct will open up and there is no possible way for them to do anything else (Ie F11)

I just set up a machine like that in the front lobby of our administration building. It's used by potential employees to access an online job application through our website. Do you still need info on how to do this? Which OS? It's really not that hard...just tedious registry/policy changes.

rfquinn,

That's exactly what I need to do. One in the lobby for employment apps. Also, some for telephone survey stations. My biggest concern is people saving their passwords on those machines when they log in, then the next employee that works at that station being able to log into their account because of the saved password. It's easy to turn this off in IE, but it's just as easy for them to turn it back on.

It's a Linux server. The stations will be some flavor of Windows. Either 98SE or 2000. The survey software only requires 98, but I'm considering 2000 because of this stuff.

No problem. My weekend is a little hectic, but I'll post instructions when I get a chance.

98 is being EOL'ed.

Sorry about the slow response.  You probably already have it working by now.

These were done on a 98 box, but almost all of the keys should work on XP as well.  Let me know which OS you chose so I can give you more tweaks.

By the way, most of these came from www.winguides.com


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDesktop"=dword:00000001
"NoSetTaskbar"=dword:00000001
"NoFavoritesMenu"=dword:00000001
"NoRecentDocsMenu"=dword:00000001
"NoChangeStartMenu"=dword:00000001
"NoRun"=dword:00000001
"NoFind"=dword:00000001
"NoTrayContextMenu"=dword:00000001
"NoDrives"=dword:0000000c
"NoFileMenu"=dword:00000001
"NoBandCustomize"=dword:00000001
"NoSetFolders"=dword:00000001
"NoFolderOptions"=dword:00000001
"NoSetActiveDesktop"=dword:00000001
"NoWindowsUpdate"=dword:00000001
"NoLogOff"=dword:00000001
"NoViewContextMenu"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions]
"NoHelpMenu"=dword:00000001
"NoBrowserOptions"=dword:00000001
"NoFavorites"=dword:00000001
"NoFileOpen"=dword:00000001
"NoBrowserContextMenu"=dword:00000001
"RestGoMenu"=dword:00000001
"NoBrowserBars"=dword:00000001
"NoSelectDownloadDir"=dword:00000001
"NoToolbarOptions"=dword:00000001

Ooooooooooooo... You're a stud. Thank you! It will still be a few months before I have to do this. I'm just kinda doing homework right now.

I'll be talking to our software maker this week to find out what OS we should use.

Cool. Glad I wasn't too late. If I had to choose an OS for your project, it would definitely be XP. The only reason I used 98 is because we wanted to use the slowest computer we could find. (It's only for web browsing, after all) However, you're able to make XP much more secure than 98.



The above reg keys will give you a great start. Let me know which OS you decide to go with, and I'll give you a list of some other things to lock down.

I'm kinda leaning toward Win2000 right now. I've had the best experiences with it on my own computers.

I've never secured a 2K box, but it should be almost exactly the same as XP...just let me know!