Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

How to restrict "Limited Users" save documents only on USB stick - WindowsXP Pro

Options
  • 25-03-2011 12:03pm
    #1
    net4hack
    Closed Accounts Posts: 131 ✭✭


    Is there any way to restrict "limited users" in Windows XP Pro (WorkGroup) to save their documents / downloads etc only on USB stick, ie not allowing to save any content on local disk. The 5 PC's on LAN are just for public internet browsing.

    Is there any local security policy that could be enforced to do this?
    Tagged:


Comments

  • Options
    #2
    homer911
    Registered Users Posts: 5,119 ✭✭✭homer911


    In work on our XP machines this is controlled by setting the maximum profile size - it doesn't prevent saving to the local hard drive, but it does limit the amount that can be saved.

    You could then schedule something like ccleaner to run once a day and purge this stuff..


  • Options
    #3
    Shane O' Malley
    Registered Users Posts: 1,373 ✭✭✭Shane O' Malley


    There are a number of systems out there that will return the HD to a previous state after every reboot. (Admin mode if you want to change anything)

    Would that do the job. User can still save files but they disappear when you reboot.


  • Options
    #4
    Fysh
    Moderators, Arts Moderators, Regional Abroad Moderators Posts: 11,053 Mod ✭✭✭✭Fysh


    @Net4Hack - what you want is Windows Steady State. Sadly, it has been discontinued by Microsoft and is no longer available for download. I have a copy of the installation file and documentation, that I have zipped up and uploaded to Sendspace here.

    Assuming you're willing to trust something provided by what amounts to A Stranger On The Internet, that'll be the easiest way to do what you need to do - I use it on an XP box we have for communal network access and scanner use at work, and it lets you control all sorts of things.

    Alternatively, if you're a bit more cautious and don't want to trust the download I've linked above, you can refer to Microsoft's 51-page document on "Creating a Steady State by Using Microsoft Technologies" - it's available here. This is more tedious, as you have to go through setting a whole bunch of group policies on each machine to achieve a similar result, but as I say, it means you're not trusting a download from an anonymous stranger on the 'net.


  • Options
    #5
    net4hack
    Closed Accounts Posts: 131 ✭✭net4hack


    @Shane,
    dont want to restore all the contents of the HD to a previous state. Only for limited users.

    Hi Fysh,
    Would the Windows Steady State you mentioned restore all the hard disk contents to a previous state? I need to keep the admin docs and downloads there and only need to remove all limited user public user docs, web history, downloads, etc.

    Possible?


  • Options
    #6
    Shane O' Malley
    Registered Users Posts: 1,373 ✭✭✭Shane O' Malley


    Have a look at http://en.wikipedia.org/wiki/Windows_SteadyState#Discontinuation_and_Alternatives


  • Advertisement
  • Options
    #7
    Fysh
    Moderators, Arts Moderators, Regional Abroad Moderators Posts: 11,053 Mod ✭✭✭✭Fysh


    net4hack wrote: »
    @Shane,
    dont want to restore all the contents of the HD to a previous state. Only for limited users.

    Hi Fysh,
    Would the Windows Steady State you mentioned restore all the hard disk contents to a previous state? I need to keep the admin docs and downloads there and only need to remove all limited user public user docs, web history, downloads, etc.

    Possible?

    I'm pretty sure it can do, you can restrict access to all sorts of places - I've set up our scanning station to not let people save files anywhere except one directory or their pendrive if they've connected one, and you can set it to roll back any changes made when people log out. If you're interested, download the file I linked to - it's got all the documentation in there, which goes into plenty of detail.


  • Options
    #8
    Capt'n Midnight
    Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 91,568 Mod ✭✭✭✭Capt'n Midnight


    the very act of browsing means they are downloadig web pages to the machine be it in the temp folder or cache , this means they have write permissions - no easy technofixes


    encrypt the HDD, and then they can use a linux live cd :P


    or they could use portable apps - so firefox runs on the usb key and documents should be saved there too



    user education is the best way

    but if you don't trust the users don't let them have physical access to a machine capable of accessing your network, it should be on the outside of your firewall


  • Options
    #9
    Fysh
    Moderators, Arts Moderators, Regional Abroad Moderators Posts: 11,053 Mod ✭✭✭✭Fysh


    If you're using steadystate you can easily restrict what applications they can run (including, I think, where they can be run from), and you can restrict the browsers to only access certain sites. You can stop them accessing the command line, stop them opening the task manager, limit their access to only specific drives/directories...it's a pretty powerful utility, and it's genuinely a shame that Microsoft have chosen to retire it.

    It only works if you combine it with a password-protected BIOS that only allows booting from the hard drive and a locked, intrusion-aware chassis. But that goes without saying for almost any approach to securing a computer.


  • Options
    #10
    net4hack
    Closed Accounts Posts: 131 ✭✭net4hack


    I would give "Windows Steady State" a try.


Advertisement