Locking Down XP for Public Comp

Just wondering what the best way to go about locking down Windows XP.

My application is for use in police patrol cars. I want the cops to be able to use the machine for department purposes (DMV checks, electronic tickets), but not be able to mess them up (spyware, viruses, games).

Some things I need to do are:

-Block all access to the Internet.
-Block access to the Control Panel, Device Manager, etc.
-Block access to My Computer, Windows Explorer.

  • Stop people from being able to run .exes that they bring to the PC by USB pen drive.

Is there any easy way to do this without editing the registry by hand? Possibly Group Policies or TweakUI?

Not really my area of expertise but my best guess would be using policies (poledit, etc)

Yes, you can absolutely do what you want. Type gpedit.msc for a crapload of lockdown settings. One setting you should look at is for allowing only certain executables to run.

Something else you might want to look into is a product called DeepFreeze. Everytime a machine reboots/shuts down, the system is returned to its startup state. We've been using DeepFreeze in my school district for years, and have yet to see ANYTHING installed/changed on the machines we use it on. Virus? reboot. Spyware? reboot.

You don't need DeepFreeze for what you want to do...it'll just make your life MUCH simpler. The only time you'll ever have trouble with a computer is when you have hardware issues.

I wish you or someone like you would do this shit for my county's deputies. I pulled up to one at a light the other day and looked over; the fucker was on eBay.

Thanks a ton for all of the responses.

rfquinn: DeepFreeze sounds like a GREAT idea.

My one question is this. Can it be set not to remove EVERYTHING that has gone on? IE, documents created, electronic tickets written and stored on the PC, etc.

I guess what I am asking is if a certain directory or two can be exempted.

Thanks a ton..

Yes. DeepFreeze will allow you to select which drive letters you want frozen. Just partition the hard drive, and choose to freeze just the OS's drive.

If you don't want to partition the hard drive, DeepFreeze gives you an option called "ThawSpace". If selected, it appears as another local drive and can be up to 2GB in size.

Last quick question. I am playing with gpedit.msc. I want to restrict the generic user logon (called "police") but be able to log in as "administrator" and have full functionality.

Near the bottom of the Group Policy Editor, I see "user configuration." I just need to figure out where to set what user I am configuring. Any help would be greatly appreciated.

Oops. I just saw that I didn't respond. You still need help, Gforce?

I think I have it covered--one of my friends sent me a good knowledge base article.

I'd like to see it. Do you have a link?