|
System Policy
Editor Tutorial
Poledit.exe
Using the Windows System Policy Editor
to Enhance Workstation Security
Note: the SPE can be used on Win9x, WinNT4
and Windows ME
workstations
This page is a summary, not only of my own hints and
tips gleaned from using the system policy editor in a school
(with Windows 9x workstations on a Novell Netware 4.11 network),
but also the hints and tips from numerous readers- including
NT users.
|
Table of Contents
What
You Will Need
 |
The templates. Download TEMPLATE.ZIP
355Kb- ZIP file of all the templates I could find including
those for Office 2000, ZAK templates, templates suggested
on the MS site, and NT templates. Includes Poledit.exe
|
|
The right client. Each workstation must be
running Windows9x and either the MS NetWare client or one of the
32 bit client versions from Novell (click
here to download the latest version). It's always a good idea
to make sure that you have the latest version of the client software
(currently version 3.2 added in Jan. 2000).
|
|
The POLEDIT.EXE program. You should try to
use the Windows 98 or NT version dated May 1997 or later. The
Windows 95 version doesn't allow multiple templates to be loaded
(found on the Win95 CD in ADMIN\APPTOOLS\POLEDIT
or in the Tools\Reskit\Netadmin\Poledit folder on the Win98
CD). It's also included in the ZIP above.
|
|
This is a pretty good demo program for editing
the *.adm files. You'll have to purchase the program to use
the resulting adm file. Study up on your registry keys and
values first though. Policy
Template Editor
Windows
Millenium Edition
Windows Me is an attractive OS for schools.
It shows greater compatibility with older hardware and software
than Windows 2000, and unlike Windows 9x, it has file protection
features. Specifically, System File Protection (SFP) and System
Restore. Unfortunately, Microsoft clearly states that Windows
Me does not support the use of the system policy editor, since
it does not support the use of a policy file (see Knowledgebase
article Q266271). But I never listen to advice, so I decided
to look into using Windows Me with system policies.
With user profiles enabled, Windows Me will in fact automatically
download from the network, and import into its registry, the
computer and user policies found within a Config.pol file.
I used the Admin.adm template, plus many of the Shell.adm
policies in a number of different User policies.
BUT policy use was less than perfect if Active Desktop
was enabled. Wallpaper settings, in particular, are completely
ignored since they are on a different reg key. But other odd
things happened too. Policies became active that were not
set, and registry keys become locked (HKCU). With Active Desktop
disabled, I was unable to find any problems with the
templates I tested.
Since I have not done any long term testing, and considering
Microsoft's warning, I am not quite ready to whole-heartedly
endorse the use of policies on a Window Me workstation. But,
the file protection features make it tempting enough to try
a few test workstations. I would suggest first disabling Active
Desktop on the workstation itself and also within the Config.pol
file. You can do this by selecting the option to use Windows
classic desktop - found under the General tab of the Control
Panel applet Folder Options. In the policy file it can be
disabled using the user policy Desktop-Desktop Restrictions-Disable
Active Desktop in the Shell.adm template.
Prepare the workstation to use the Config.pol file
Open the Poledit.exe program. Click on File
| Open registry. Double-click on Local Computer. Set the following
options.
|
Local Computer
-Microsoft Client for Netware Networks
U Preferred Server
-Update
U Remote Update
-System
U Enable User Profiles
----------------------------------------------
Settings for Remote Update
Update mode: Automatic (use default) |
Preferred server tells the workstation which server contains
the policy file, automatic remote update informs it to find
the config.pol on the Public directory of that server. Checking
"Remote Update" is critical to enabling the use
of the config.pol file (make sure you ALSO check this option
off in your default computer policy in the config.pol).
Checking "Enable User profiles" is critical to
enabling the use of user and group policies.
Choose File | Save. Then choose File | Close
Your workstation will now be able to download the config.pol
file. Once you are sure the config.pol is working properly,
you can skip this step and go directly to Editing
the workstation registry for each new workstation. |
| Create
the Config.pol file
This is the file that will contain the security settings for each user
on the network.
*NOTE: before you exit the poledit program, make sure you have made
a User for yourself with NO restrictions, or you will be unable to make
changes on any workstation affected by the policy file.
Create a Test user
Create a user to test
the downloading of the config.pol file. This will be a very simple
user with only one setting. |
|
Open the POLEDIT.EXE program. Begin
with the admin.adm template by choosing Options|Template. You
have to choose a template (or change to a new template) without
any files being open. The admin.adm template will be used to
set the user restrictions. |
|
Choose File|New File. You will see an
icon is already there for Default User and Default Computer.
You will change this user in the next section. Click on the
icon that looks like a single head to add a new user. Call this
user TEST. Double click on the TEST user. You will see the option
below. |
Default User Properties
Desktop
U Wallpaper
----------------------------------------------
Wallpaper name: c:\windows\sandstone.bmp |
Set only the wallpaper
option. Leave all other options blank. Click OK.
I suggest setting all the restrictions below for the
default user
Default User Properties
Control Panel
Display
U Restrict display control panel
Network
U Restrict network control panel
Passwords
U Restrict passwords control panel
Printers
U Restrict Printer Settings
System
U Restrict System control panel
Desktop
U Wallpaper (set to a network directory)
----------------------------------------------
Settings for Restrict System Control Panel
U Hide device manager page
U Hide hardware profiles page
U Hide file system button
U Hide virtual Memory button |
| For each of these Control Panel settings above there are
options in the gray edit box . Check mark all of these options.
I suggest setting the wallpaper to a bmp on the
network to avoid tasteless images. This has been a problem
in our school. You can also choose to auto
delete any *.bmp so that even the default wallpaper
(that shows before you login) will be blank. |
Default User Properties
Shell
Custom Folders
U Custom Programs Folder
U Custom Desktop Icons
----------------------------------------------
Settings for Custom Desktop Icons
Path to get desktop icons from
Z:\public\desktop |
|
I found that the students often would change the names
of the icons, add icons, delete icons etc. using the right-click
control panel. To avoid this, choose the option above.
For the "path to get desktop icons from" make
it a mapped drive available to the students. On the network
make this directory access only Read and FileScan. Then
if the students try to change anything on the desktop
they get an error message. It keeps the desktop looking
clean, and allows you to add or delete any icons without
having to change each workstation individually.
You can quickly copy the current icons from the Windows\Desktop
folder to this folder on the network.
|
Default User Properties
Shell
Restrictions
U Remove Run command
U Remove folders from Settings on start menu
U Remove Find command
U Hide drives in My Computer
U Hide Network Neighborhood
U No Entire Network" in Network Neighborhood
U No workgroup contents in Network Neighborhood
U Hide all items on desktop
U Disable shutdown command
U Dont save settings at exit |
| Use caution if you check off those that I haven't, and leave
them white rather than grayed out. If you "Hide drives
in my computer" the user will not be able to browse through
A: drive for files they have saved and want to retrieve. If
you "Hide all items on desktop" they will not have
any desktop icons, and will only be able to use the Start
button to start programs. If you "Disable the shutdown
command" they will not be able to shutdown properly. |
Default User Properties
-System
Restrictions
U Disable Registry Editing tools
U Only run allowed windows apps
U Disable MS-DOS prompt
U Disable single-mode MS-DOS apps
|
| Note that if you disable the MS-DOS prompt, that
user will also not be able to run ANY DOS BASED PROGRAMS. |
|
Choose OK and then double-click the Default Computer
icon. |
Default Computer
-Logon
Restrictions
U Require validation by network for windows access
-Microsoft Client for Netware Networks
U Preferred server
U Support long file names
-Passwords
U Disable password caching
-Update
U Remote Update
-System
U Enable User Profiles
----------------------------------------------
Settings for Preferred server
Server name: calg_acad |
| These are my suggestions for the minimal options for Default Computer.
Again, checking "Remote Update" here is critical to enabling
the use of the config.pol file. If it is left cleared your policy file
will download once and then never again. The preferred server must
be set so that the computer can find the Config.pol file. If you want
to set support for long file names, make sure to also set up that support
on the server for long filenames. (see the Novell website for instructions).
NOTE: although the option does increase security, if you "require
validation by network for windows access" the computers may not
be usable when the network is down. Use caution when setting computer
settings to the cleared position from grayed. For example, if you set
"preferred server' to clear, then tried to set it back to grayed,
the cleared setting will have erased the preferred server name from
the registry. Setting it back to grayed will not restore the workstation's
default setting (because it was erased). |
|
Choose File|Save. Since you have already saved the
file to SYS:PUBLIC/CONFIG.POL the changes will be saved to this
file. |
|
Close the file (File|Close). Then open the client32.adm
template (Options|Template). Again open the Config.pol file. You
cannot change templates without first closing the file. |
There are no default user policies, just default
computer
Default Computer
Novell Netware Client 32
-Client 32
U Preferred Server
U Name Context
U Preferred Tree
Login Options
U Enable Login Connection Options
----------------------------------------------
Settings for Name Context
Context Name: students.bedrock |
| Again these are my suggested minimum settings. Make sure to
set your preferred server so that the workstation can find the
config.pol file. Set the name context so that you don't get
"user not found in this context" errors. |
| Table of Contents
Create an ADMIN user
Create a user for yourself. It may be Admin or another user name which
you use to log into the network. If you use another name, replace all
references below to Admin with that login name. |
|
-Click on File|Close. Open the admin.adm
template again (Options|Template) then open the Config.pol file.
|
|
-Click on the "add user" icon
(single head). Call it Admin. The Admin user will be created
using the restrictions of the Default User these restrictions
must be removed. |
|
Double-click on the Admin user. Go through
the lists removing all check marks and grey boxes. All boxes
should be left white, so that no restricitions are applied to
the Admin user. You may want to set your own desktop icons though,
so that you have quick access to the network programs which
you most frequently use. Obviously, you would want to set a
different directory from the one used by the students. |
| Create a Teacher user
If your teachers use the same computers as the students, they may need
a more relaxed level of security. At our school, we have one login name
for all the teachers. If you have separate login names for each teacher,
then each login will require a user icon in the config.pol. |
|
Click on File|Close. Open the admin.adm
template (Options|Template) then open the Config.pol file. |
|
-Click on the "add user"
icon (single head). Call it Teacher (or whatever the teacher's
login name is). Go through the steps above removing the
security you don't need. I suggest keeping most of the security
just to prevent any accidental changes by teachers to your setup.
|
|
You may want to allow teachers access
to the details page of the printer properties, or the Run command
|
|
You may also want the teachers to
have desktop icons which are different from the students. If
so, set another network folder for these icons. |
| -Click OK. Choose FILE | SAVE. AGAIN, MAKE SURE YOU HAVE AN ADMIN
USER (or whichever user name you login with) WITH NO RESTRICTIONS BEFORE
EXITING POLEDIT!
Note that if you have separate logons for each teacher, this user
can also be created as a Group policy, rather than as an individual
user. See here
for more information on creating Group policies. |
| I don't think the
workstation is downloading the config.pol, how do I check this?
I use a simple check to see if the policy file is being downloaded
at all, and to make sure that there isn't some other problem with the
the options which were set. Use the TEST
user (which was the first user you created) in which only the wallpaper
option (a very visible option and therefore easy to test) was changed. |
|
Create the TEST user in your NDS
(of course) |
|
Enable the use of the
config.pol file on the workstation (see
above)
Now when you login as TEST you should immediately
see the sandstone wallpaper. If you do, you know that the config.pol
is being used, and if there are still problems then it likely
is with specific settings within the user in the config.pol.
And of course if you don't see that wallpaper, then the config.pol
file is not being downloaded by the workstation. Check that
automatic remote update is set in the local computer registry
(see next section).
|
Table of Contents
|
Edit
the Workstation's Registry
It is important to set restrictions on the workstation since
the config.pol restrictions can be bypassed by disconnecting
the Ethernet cable and rebooting the machine. This prevents
the downloading of the config.pol security. This is
a much more involved editing than the one you did in the first
section!
IMPORTANT: This action edits the registry. Before
you edit the registry and possibly make mistakes, you should
first make a backup copy of the registry files (System.dat
and User.dat). Both are hidden files in the Windows folder.
At a DOS prompt, take the SHR attributes off of the files
(attrib -s -h -r user.dat) and copy them to files with the
extension of old (user.old and system.old). Restore the attributes
to the files (attrib +s +h +r system.dat).
You will need the Poledit.exe files and the *.adm files on
a 3.5" disk since you will have no access to the network.
|
|
To edit the default registry for the
workstation you must first do some cleaning of the hard drive.
Delete any directories under \Windows\Profiles and any password
files (*.pwl) in the \Windows directory. |
|
Then unplug your computer from the network
and restart the machine. |
|
When Windows asks for a name and password
for the Windows login, choose Cancel. |
| You will now be editing the default user registry |
|
Open the Poledit program using the Admin.adm
template. |
|
Double-click on the Local User icon
|
| Set ALL the restrictions except for "Disable
shutdown command" and "Hide all items on Desktop"
and especially do not check "run only allowed windows apps".
If for some reason the network card fails to operate you
will not be able to change any system settings if you "hide
all items on desktop". You will not have access to the
Control Panel, or be able to invoke Poledit by creating a new
desktop shortcut to give you access to the control panel, since
the policies will not have downloaded from the network. You
will in effect be temporarily locked out of that workstation.
If you accidentally check "run only allowed windows apps"
and do not fill in the programs, then you will have absolutely
no way of running poledit.exe (or any other program for that
matter). BUT - there is a case where you may want to use thisoption
to add to your security (see
below) |
Local User Properties
Control Panel
Display
U Restrict display control panel
Network
U Restrict network control panel
Passwords
U Restrict passwords control panel
Printers
U Restrict Printer Settings
System
U Restrict System control Panel
Shell
Restrictions
U Remove Run command
U Remove folders from Settings on start menu
U Remove Find command
U Hide drives in My Computer
U Hide Network Neighborhood
U No Entire Network" in Network Neighborhood
U No workgroup contents in Network Neighborhood
U Hide all items on desktop
U Disable shutdown command
U Dont save settings at exit
System
Restrictions
U Disable Registry Editing tools
U Only run allowed windows apps (see
below)
U Disable MS-DOS prompt
U Disable single-mode MS-DOS apps
|
| If you x "only run allowed windows apps" make sure
Poledit.exe is on the list. Otherwise you will be completely
and absolutely locked out of your machine!!! (see
below)-Click OK and double-click the Local Computer
icon |
Local Computer
-Logon
Restrictions
U Require validation by network for windows access
-Microsoft Client for Netware Networks
U Preferred Server
-Update
U Remote Update
-System
U Enable User Profiles
----------------------------------------------
Settings for Remote Update
Update mode: Automatic (use default) |
|
Preferred server tells the workstation which server contains
the policy file, remote update informs it to find the
config.pol on the Public directory of that server. Checking
"Enable User profiles" and "Remote Update"
in the local computer is critical to enabling the use
of the config.pol file.
I wouldnt suggest setting the update mode to manual
and putting in an alternate path name, it never worked
properly for me.
|
|
Choose OK |
|
Choose File|Save. The changes will be
saved to the local registry. Close the registry File|Close |
|
Open the client32.adm template (Options|Template)
|
|
Double-click on the Local Computer |
Local Computer
Novell Netware Client 32
-Client 32
U Preferred Server
U Name Context
U Preferred Tree
Login Options
U Enable Login Connection Options
----------------------------------------------
Settings for Name Context
Context Name: students.bedrock
|
| Again make sure you have put in the preferred server.
Frankly, Im not sure which is more important setting
the preferred server with the client32.adm or the admin.adm.
|
|
Choose OK |
|
Choose File|Save
|
Table of Contents
|
What About Stand-Alone Computers?
This section is also for computers on a peer-peer Windows
network, since the SPE does not recognize this as a true network.
For setting up the above type of security on stand alone
workstations, follow this link to the Zdnet web site. http://www.zdnet.com/pcmag/pctech/content/solutions/uu1513a.htm
Or this link on the Microsoft web site
http://support.microsoft.com/support/kb/articles/q147/3/81.asp
If you follow the other instructions on this page note that
checking the computer policy " Require validation by
network for windows access " will create an additional
logon dialogue box called "Domain". Error messages
will result due to the fact that the computer is stand-alone.
|
What About Group Policies?
GROUP POLICIES MUST BE INSTALLED ON EACH Windows 9x WORKSTATION!
|
1. |
Insert the Windows95 CD |
|
2. |
Open the Control Panel |
|
3. |
Double-click on the Add/Remove Programs icon
|
|
4.. |
Click on the Windows Setup tab |
|
5. |
Click on the Have Disk button |
|
6. |
Browse to the \ADMIN\APPTOOLS\POLEDIT directory on the
CD. |
|
7. |
Click on the next two OK buttons. |
|
8. |
Highlight the Groups Policies box and click
on the Install button. |
|
9. |
This will install GROUPPOL.DLL in the \WINDOWS\SYSTEM
directory as well as make a few registry changes. |
|
10. |
When you create a policy file, you can now use Add Group.
Anyone in that NT or Netware group will have the policies you
set applied. |
| When creating a new group type in the fully qualified
groupname in capitals (i.e.STUDENTS.RESOURCES -where resources
is the tree name) otherwise you many have some problems picking
up the policies, especially if the groups are in different contexts.
The short name works fine for individual users. |
Table of Contents
|
What about
NT Servers?
As far as I am aware, these procedures also work on an NT
network (NT 4 server). The main difference is the location
of the config.pol (or ntconfig.pol) file - it should be put
in the NETLOGON share,
(%systemroot%\system32\repl\import\scripts) directory. You
also must have minimally service pack 3 installed on the workstation
(and the server if you have an NT4 server).
Here is some help regarding NT and policies from Microsoft
http://support.microsoft.com/support/ntserver/serviceware/10141380.asp
|
| Profile Folder/Directory
problems |
|
I have had a number of weird
printing problems resolved by deleting the Windows profile subdirectory.
I now autodelete the whole thing by putting the following line
in the student's login script:
#\\server_name\sys\public\cleanup.pif
MAKE SURE THIS LINE OCCURS BEFORE YOUR DRIVE MAPPINGS
in the login script otherwise when you del *.acl,
you will lose those mappings. |
| Windows95 will automatically create a pif for you. Just right click
on the batch file and choose create shortcut. The pif above refers
to the following batch file (also in the public directory) |
c:
cd\windows
deltree /y c:\windows\profiles\*.*
del *.bmp
del *.acl
del *.pwl
cd\
del *.chk |
Table of Contents
Tips (newest at top)
|
Speeding up the policy file
if it's taking a long time to download and merge the
policy file, make sure you have as many grayed policy options
as possible. While Windows processes the cleared and checked
options (taking time) any grayed options are skipped (speeding
up the process). |
|
RUN
ONLY ALLOWED PROGRAMS - WHY WOULD I USE THIS?
-To avoid the students bringing in a copy of Poledit and removing
the default restrictions, you could try checking off "run
only allowed programs" (see
above) and ONLY put the poledit program in the list BUT do
the following. Allow the Run command, and in the list of allowed
programs put something like secret.exe - then copy poledit onto
a floppy disk and rename the poledit.exe file to secret.exe. Now,
you CAN run poledit, but only you know what is the allowed fake
name.
|
-You may want to "run
only allowed programs" on a special login called
EXAM. To let the students use only word processing programs
and not anything else - such as IE4. |
|
-If you want to add some DOS
programs to the "run only allowed" list, you
have to either enter a BAT file or a PIF filename (you
can make a PIF by creating a shortcut to the DOS program).
Adding the DOS EXE does not seem to work. |
|
Note that when you add a filename,
you DO NOT need the full pathname - only the file
name of the executable (i.e only enter poledit.exe, not
c:\windows\poledit.exe) |
|
|
Hide
A: drive only HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Make a new DWORD entry called NoDrives with a Hex value of 1 |
|
Most Windows95 installations have
remote update set as default. This means that if you set up
a new computer in the office, it will likely download the "default
user" security. To avoid this problem have an icon in the
Config.pol for that user which has no restrictions. An easy
way to do this is to create the user, then click and highlight
your user icon, choose Edit|Copy, click on the office user and
choose Edit|Paste. The office user now has no restrictions on
the use of their own workstation. |
|
Long Filename support -
add LONG.NAM for Netware 4, an update of which is found in the
Intranetware support pack 5 at
http://support.novell.com/cgi-bin/search/download?/pub/updates/nwos/iwsb411/iwsp5b.exe&sr
(use OS2.NAM for Netware 3) plus read this http://support.microsoft.com/support/kb/articles/q137/2/75.asp
MAKE SURE that you "add namespace long"
first, and don't just run the long.nam. |
|
Make sure the Config.pol file has
Read/FileScan access (but only that level of access) for all
users. For WindowsNT servers, you may need write access to also
be enabled. SP3 fixes this problem. |
|
Dont forget to complete the edit
boxes for some of the policies, such as the display restrictions,
or the preferred server. |
|
If you have the space on your server,
try using the program GHOST.EXE to make an image file of your
workstation. It's easier to replace the image than to spend
hours trying to find out why you are getting error messages.
http://www.ghostsoft.com
|
|
Remember that the Novell NDS requires
bindery emulation to be enabled if you are using MSNDS (or if
you are trying to add group policies) http://support.microsoft.com/support/kb/articles/q169/8/80.asp
|
| Miscellaneous Problems/Solutions
(newest at top) See the Tips from fellow admins section
too |
| |
|
Problem with MS Access
files it has been reported that, with the policy "run
only allowed programs" checked, even with Access in the programs
list access is denied to mdb files. The workaround is to create
a batch file with a call to MS Access which in turn calls the
relevant mdb file.
*Another solution is provided by Mark Wills here
|
|
Problem with Novell Help files
if the users click Help in the login window, they gain
access to a menu bar. To avoid this 1) update to latest client
2) remove the file C:\windows\nls\english\axcred.hlp. |
|
Group policies won't work on NetWare
4.x or 5.x - make sure you have bindery emulation running
on your server. |
|
Changes are being made to the desktop
via the right-click context menus, or new shortcuts are being
created. See note above |
|
There is a security problem with Windows95a
and service release 1 - read the following Microsoft documentation
http://support.microsoft.com/support/kb/articles/Q132/8/07.asp
|
|
F3 shortcut to Find command.
It can't be disabled, but you can reassign the F3 key to some
other program. Make a desktop shortcut to a program, then right-click
on it and choose Properties. Beside Shortcut put F3.. It can't
be disabled, but you can reassign the F3 key to some other program.
Make a desktop shortcut to a program, then right-click on it and
choose Properties. Beside Shortcut put F3. |
|
Office 97-Word when
you click File|Open, then right click on the window you can get
access to Explorer and potentially change file
associations. To disable this, use the IE4.ADM file that is contained
in the TEMPLATE.ZIP file mentioned
at the beginning of this document. Choose Internet Explorer 4,
then the Shell option, Shell again, and check off "disable
context menu in shell folders". Apparently, this does not
work with Win95a.
|
To retain the ability to use R-click,
an alternative tip from Paul Taylor (thanks Paul) is to
delete the registry entry HKEY_CLASSES_ROOT\Folder\shell\explore
The "Explore" option is then removed from the
Context Menu. |
|
Table of Contents
|
TIPS FROM FELLOW
NETWORK ADMINISTRATORS
Phalen180
His very useful programs are available at his website http://www.infin8ty.com/progs.asp
One is called Hide
Drives and basically generates an ADM file that specifies
which drives you would like to be viewable in My Computer.
Another program Setbyreg
uses the exporting function of Regedit to pull a value out
of the registry. It then parses the information returned
(such as ComputerName) and sets a DOS environment variable
from a registry value (such as %COMPNAME%). Finally,
REGENV
will set a registry value from a DOS environment variable.
Paul Taylor
Offers many great solutions for problems such
as the annoying ability to set wallpaper using MSPaint.
Check here for his tips.
Laura Rose
Laura reported "I can log on as Administrator
give the user administrative rights; however, when I log
off then back on as the user, the user can't access the
user account. The error is insufficient privileges."
Her solution to this problem (for if the Administrator on
an NT workstation wants to log on as a user and change the
System Policy for a particular user's settings), is found
here.
Keith Church
To keep from writing to your NetWare home (mail) directory,
add the following to the registry:
HKey_Local_Machine\Network\Logon
add a DWORD entry called 'UseHomeDirectory' with a
value of 0 (zero)
Robert Kennedy
To avoid the "accidental" merging of a registry
file (*.reg) into the registry, change the default double-click
command from MERGE to EDIT. It is a simple registry edit.
In HKEY_CLASSES_ROOT\regfile\shell\ change
the default value from " " to "Edit"
. The default value defines the command that will be
used when you double-click the REG file.
For more fancy registry edits from Robert, check here.
GvL (http://members.tripod.lycos.nl/GvL/index.html)
Use the free utility from PCMagazine ( http://www.pcmag.com
) called WinTidy95. This utility can restore the positions
of icons on the desktop. He has available a program which
will start and close the WinTidy95 utility automatically.
Jake Hazelip
Jake's tip on how to automate the use of a
particular desktop, and how to automate group policy support,
is here .
Paul Dolling
Paul's solution to have different setups for different locations
is here. I.E. If a user logs
on at the computer that has the scanner connected they would
want the scanner software available. If users log in on
computers in the CDT department they want the CAD software.
Jonathan Cook
jonathan@infin8ty.com
Jonathan's method for using the %USER% environment
variable to change registry entries such as computer name
is found here.
|
|
Programs (may want to look at these if you
need more protection of C: drive) |
|
HDDprot from http://www.geocities.com/SiliconValley/Lakes/8753
|
|
Full Control http://www.bardon.com
has a standalone or network version. Individual users can be
set up. Windows hotkeys can be disabled, printing can be restricted
to max pages/copies, file permissions can be set to read-only,
full or no access even in safe mode.
|
|
PreLog http://members.tripod.lycos.nl/GvL/index.html
doesn't strictly protect C: but it does stop one security problem
with NetWare. Namely the fact that you can't use the option
of validating the logon from the network before allowing Windows
access IF the NIC is unplugged from the network. PreLog also
allows you to customize the look of the logon screen and some
other goodies.
|
|
Fortres101 http://www.fortres.com/
network version for NT now, and the Novell version will be available
soon..
|
|
Storm Windows http://www.cetussoft.com/stormwin.htm
a security program that sounds much like Poledit. It doesn't
seem to offer file level protection.
|
| |
