MS Exemplary Teachers

All information contained in this web site is the property of the MS Dept. of Education's Office of Educational Training, Technology and Support and Lynnette D. Morrison as webmaster unless otherwise stated.

information

Much of the information provided on this site can also be found at the MS TeacherExchange site of which I am also the webmaster.

MS TeacherExchange Web Site

Mississippi classroom teachers participating in the Office of Educational Technology Exemplary Teacher program developed and maintain this website to expand and enhance effective professional development. This site seeks to facilitate communications among classroom teachers by providing on-line educational resources. It also provides a forum for the dissemination of information and the collaboration of resources needed to sustain a teacher mentor network.

Tutorials

WebTools

Workshops

Subject Area Resource Sites

Downloads

Create Secure User Profiles with Windows 95's Policy Editor

Publicly accessible computers, such as those in schools, require a significant degree of security to prevent abuse. The Windows 95 CD-ROM provides the tool you need to implement restrictive policies on such machines in the form of the Policy Editor (POLEDIT) application. The Windows "Policy Editor" setup can be found in the Windows resource kit on your Win 95/98 installation CD. For the Windows 95 installation CD-ROM, the policy editor (poledit.exe) is in the \admin\apptools\poledit\ directory. For the Windows 98 installation CD-ROM, the policy editor (poledit.exe) is in the \tools\reskit\netadmin\poledit\ directory. You then run the "Policy Editor" (poledit.exe) to set which users or groups can access what resources (for example, access to the Control Panel, Hard Drive, Floppy Drive, Printers, make changes to the Desktop, etc.) on your Windows 95 or Windows 98 machine. Unfortunately, the Windows 95 Resource Kit doesn't tell you how to use POLEDIT for standalone computers, so I developed a method of my own:

Prepare the System. Use Explorer to make backup copies of USER.DAT and SYSTEM.DAT, in case of emergency. Make sure you have at least 10MB free on the Windows drive to hold user profile information.
Enable User Profiles. Launch the Password applet in Control Panel. Click the User Profiles tab, click the option Users can customize..., and check the two check boxes. Click OK; Windows will restart.
Create Profiles. When Windows restarts, log on as User and allow Windows to create folders to hold your profile information. Shut down and log on again as Administrator, with a suitably obscure password, and again allow Windows to create profile folders. Don't forget this password!
Restrict User Access to Programs. While logged on as Administrator, use Explorer to navigate to C:\WINDOWS\PROFILES\USER\STARTMENU. In this folder and those below it, delete any shortcuts to programs the user shouldn't be allowed to run, including every shortcut in the Recent folder. Be sure to delete shortcuts to POLEDIT, Regedit, and Explorer.
Install Policy Editor. Launch the Add/Remove Software applet in Control Panel, click the Windows Setup tab, and press the Have... button. Navigate to the ADMIN\APPTOOLS\POLEDIT folder of the Windows 95 CD-ROM and install POLEDIT.INF. This will install POLEDIT and put it on the Accessories\System Tools submenu of the Programs menu. It will also place the critical policy template file ADMIN.ADM in the C:\WINDOWS\INF directory. If you don't have the CD, you can download POLEDIT from http://www.microsoft.com.
Define Default User Policy. Launch POLEDIT, create a new file, and add new users named User and Administrator. Double-click the Default User icon, select System | Restrictions, and check all four boxes. Select Shell | Restrictions and check the four boxes whose captions begin with Remove, plus the two that say Hide All Items on Desktop and Don't Save Setting at Exit. Do not check the Disable Shut Down command. Use Explorer to create a folder named C:\WINDOWS\PROFILES\DUMMY. Back in POLEDIT, select Shell | Custom Folders and check all the boxes, filling in the dummy folder name you just created for those that require paths. Click OK and save the file as CONFIG.POL.
Define User Policy. Load the example policy file MAXIMUM.POL, click on the Default User icon, and choose Copy from the Edit menu. Reload CONFIG.POL, click on the User icon, and select Paste from the Edit menu. Doubleclick the User icon and choose Shell | Custom Folders. Click on the text of each check box in turn and, if an edit box appears below, replace C:\WINDOWS with C:\WINDOWS\PROFILES\USER. Make sure all boxes remain checked. Select Control Panel | Passwords and check the Restrict box; then check the other four boxes that appear below. Under Shell | Restrictions, check Remove Run command, Remove Find command, Hide Drives in My Computer, and Don't Save Settings at Exit. Consult the Windows Resource Kit Help to determine what other restrictions you may wish to add, but be sure not to check Disable Shut Down command. Now go to the Shell | Restrictions and System | Restrictions and change any gray check boxes to blank.
Define Administrator Policy. Double-click the Administrator icon and go through the entire list of restrictions, setting every check box to blank, not gray. This protects the Administrator policy from being affected by the Default User policy.
Define "no user" Policy. Log on again, but press Esc to close the log-on prompt. Run POLEDIT, select Open Registry from the File menu, and double-click Local User. Apply all the same restrictions you applied to Default User. Then log on as Administrator again.
Enable Policy Loading. Load CONFIG.POL in POLEDIT, open the Default Computer icon, select System, and check Enable User Profiles. Under Network\Update, check Remote Update. Select Manual for the Update Mode, and enter C:\WINDOWS\CONFIG.POL as your path. Save CONFIG.POL. Now select Open Registry from the File menu, double-click Local Computer, and make the same change to the network update mode. Save changes and exit POLEDIT.
Test Policies. Log on as User; check to see that the policy restrictions you specified are in place. Log on as Administrator and check that there are no restrictions. Now shut down and log on again, but use a new name and password. There should be no icons on the desktop and no programs available from the Start Menu (nothing to do but log on again). This time press Esc at the log-on prompt to bypass entering a user name. Again, you should have no option but to shut down and log on again.
For more information and a Policy Editor Tutorial — http://www.etwebtools.org/poledit.htm