Limiting Users w/ Policies

[okay]

Can someone give me step by step directions on how I could limit a user's permissions to ONLY allow Internet Explorer and Microsoft Word to run (as well as the necessary Windows processes).

I know this may involve the use of 3rd party software but I would prefer to create these limitations through group policy editor ONLY.

Please do not tell me to switch to a Linux based operating system as it is not an option and do not give information that you do not know to be 100% accurate. Thank you.

Windows XP Professional SP2.
1 Administrator account, 1 Debugger/Adminstrator account, 5 normal user accounts.

[Striek]

I think you could do this with a radical reassignment of permissions.

First, deny all access for normal users to everything. No read access, no directory traversal, no execute permissions, nothing. Then begin assigning read permissions to what you need users to be able to access.

To normal user accounts, assign read only access to the 'C:\WINDOWS' (or whatever yours is called) directory, and make sure to allow write access to the user profile directories under 'C:\WINDOWS\DOCUMENTS AND SETTINGS\<USER>' directories. Then assign read only access to the programs directories for Internet Explorer and Word, somewhere in 'C:\PROGRAM FILES'.

A few other permissions have to be set up as well. I am not sure if users require access to the pagefile, so that may require some testing. Make sure that any temporary directories have write access as well. There may be more than one, so do a thorough search for them. If user home directories have been reassigned to somewhere else, make sure they have write access to that too.

I am not sure if users will require write access to Internet Explorer and Word directories, but I don't think so. If they do, try to limit write permissions as much as possible in order to prevent users from installing programs to these directories.

All this can be done with Windows file and directory permissions if you are using NTFS. It is only for a single local machine, as I assume that is the environment in which you will be setting these restrictions.

Hope this helps... I can provide some screenshots if you need them.

[kr5kernel]

if you are using domain policies, there is a setting under user configuration, administrative templates that will allow you to pick what application a user can run.

There are two options:
Allow user to only run specified programs and do not allow users to run a spcified list of programs.

I am not sitting at my PDC at the moment, so sorry if the nomenclature is a little off.

[okay]

Striek, very good logic, I've gone ahead and made a test account and am trying to do exactly what you said through file permissions. One thing is for sure, it is a pain in the ass trying to get everything locked down while still making the system usable to the extent it needs to be used at. And what the benefit of this idea is that once I find the perfect settings for my test account, I just apply to that user's group, and starting adding accounts.

kr5kernel, I've looked through group policy editor and currently am using a number of it's predefined scripts, but couldn't find what you're talking about. Could you point me in the right direction?

[!mitationRust]

Windows NT has many controls for tightening its security. However, even in the most secure mode that these guidelines address, they do not blindly recommend the tightest settings for all controls. Implicit in the guidelines is the understanding that its recommendations must be both effective against certain threats and also practical. Some controls impede operational capability and their use must be carefully balanced against the security they offer. ~ MDA904-97-C-0336 (found @ http://www.trustedsystems.com/ )