workstation lockdown

[Spyrus]

I am running into an issue where I need a lot of different security ideas to bring to a client of mine and am hoping someone can help

background: client is a non-for-profit organization. has a video monitor system to keep watch on ppl through out the compound. There is a PC in a central monitoring system that has been having various users accessing the internet and surfing non-work friendly websites. Most of which includes porn and other websites.

Site uses windows 2000 server with AD running, there are roughly 30 computers that connect and authenticate to this server. a couple of which are dummy terminals.

Problem: The computer that ppl are connecting to when I showed up on site doesnt NOT need internet access only intranet access to remotely connect to a local camera system. When I arrived onsite computer would login using
login: administrator with no password.

I joined it to the domain and gave the folder that controls the program for the camera system full control so that it can read and write to itself. Then set a local

Solution:
I am looking for one of multiple solutions or ideas as to what you think would be best:

Should I create a GPO for just that PC that states it is not allowed to connect to the internet?

Is there a way to make the PC startup, login automatically, open just that program in a console mode which I could lock and make it so noone without a password would be able to exit it?

Can I add it to a dumb terminal and block internet access?

Any other ideas?


On a side note does anyone know of a program similar to websense that would be either really cheap or free to implement to filter out websites?

[XTC46]

I would first set a password for the admin account. you NEVER want average users to have admin powers. then setup a new account for people to log in as and deny that account access to everything but the program they need ot view the camera.

[Spyrus]

I have reset the password as I stated but what is the best way to deny access to everything else?

[Tiger Shark]

Remove the default gateway and prevent users from accessing the network properties.

It will chat away merrily withthe local subnet but will have no idea where to find the internet...

[XTC46]

hmm... well first off throw them in the "guest group" this will cut back their rights ALOT. then go o things like inernet explorer and go into the security settings and deny that group access. do the same for each major application you dont want them to use. Being in gues will make it so they cant change this stuff, and they wont be able to download/install other things to use. There is probably a more efficient way but Id have to have a 2000 box in front of me and mess around with it for a bit, Ive gotten to familiar with xp lol.


edit**

haha I guess tigers way will work too.

[JAZZMAN]

you can disable access to any windows program in group policy...in Active directory

[oofki]

Yeah you can use policies but htey are easy to get around. Are all the clients 2k systems? 9x machines are really tough to secure.

[ammo]

Originally posted here by Tiger Shark
Remove the default gateway and prevent users from accessing the network properties.

It will chat away merrily withthe local subnet but will have no idea where to find the internet...

Nothing more to add to that.

Seriously, just configure the interface TCP/IP prefs manually and don't give it a gateway.
Assuming the users don't have the privileges to add a route or such, this is almost* as good as having a deny rule on a firewall...


*At least better than trying to disable all and any program that might acces the internet with group policies...


Ammo