Results 1 to 10 of 10

Thread: How to Limit Win2000 wif only Web Surfing Priviledge!

  1. #1

    How to Limit Win2000 wif only Web Surfing Priviledge!


    Have friend who wana setup a small internet corner in his resturant, and i hope to help him set it up.

    How to configure a Win 2000 wif limited priviledges.

    Like only able to surf the web.

    He must not have priviledge to access C Drive Nor Delete any files or Download any files.
    All he can do is just to surf the web!

    Will to Learn

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Rotterdam, Netherlands
    Setup a firewall+proxy that's able to filter your traffic (to prevent downloads and potentially 'bad' traffic). Then setup a limited user account on the win2k machine to prevent modification of the windows configuration.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Senior Member
    Join Date
    Jan 2002
    You can use policy editor to disable bits of Windows own functionality - unfortunately I don't know if disabling the browser's save feature is feasible. Replacing the shell with a third party one is also an option.

    One option is to set up very tight ACLs on the filesystem - although the user will probably still need write access to their profile and the temp directory.

    Preventing file downloads with a proxy server is a good idea, it needs to be able to have a "whitelist" of file types really, and anything else should be rejected. Of course you will need to ensure that things that you want to download can still be downloaded, like Windowsupdate and stuff (perhaps make an exception for the windows update site)


  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    The method a lot of people use to deal with publicly accessible machines is to have a RIS server with a base image set on it. Every night when the facility closes you reboot the machines and have them reformat and download the image. Next morning when you get to work all the machines are nice and clean again.

    As for restricting everyone to web surfing any firewall with egress filtering can block all outbound connection except 80 and 443 which are required for web surfing and secure sockets.... That gives them almost everything they need.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Junior Member
    Join Date
    Apr 2004
    They are not free but there are a few programs I use.



  6. #6
    Join Date
    Jul 2001

    I always worry about small mom and pop shops that try to set up these types of services for their customers. Time and time again they find themselves getting into all sorts of problems. Parents upset at what their kids were able to access (either on purpose or by accident), or upset at what the last customer that used the machine left open for them to see, and people using these types of connections as an anonymous way to cause all sorts of problems. In short, this is a dream situation for the predatory lawyers we find ourselves surrounded by today.

    If he was hoping to set this up on the cheap, as a friend I would advise him against doing it all together. The liability that he's opening himself up to would quickly out weigh any financial gains that his business may have by providing this as a free or low cost service to his patrons.

    If he believes that such a service would be a good investment for his business, as a value added for his patrons (either free or pay), then I would suggest he have someone set it up that is well versed with the types of problems that stem from something like this.

    There are many very good commercial packages on the market that can protect the integrity of the machine, the type content that can be accessed from it, and all related issues.

  7. #7
    Regal Making Handler
    Join Date
    Jun 2002
    Time and time again they find themselves getting into all sorts of problems.
    A lot of pubs (bars) over here have started putting computers in for customers to use. I was talking to the owner of my local pub a few months back. He said that he ripped the modem cable out of his computer in anger as he had just recieved his phone bill. Over £3000.00 for one quater.

    It turns out one of his bar staff, who lived on the premises, was downloading dialers to access porn. He has now upgraded to win xp and broadband. Which he paid to have profesionaly sorted. I had a quick look around the system just out of curiosity. The dialers are still there along with more spy/adaware than you can wave a big stick at.

    And no, having free net access has not increased his trade.

    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  8. #8
    Senior Member
    Join Date
    Jan 2002
    Obviously the problem with remote imaging, is the need to keep the image up to date.

    I imagine you have to have a spare "clean" machine which exists as a master for the image, and is updated with patches etc.

    Anyone who can break Windows, can reset the bios, reboot, and change bios settings to disable remote imaging. So you don't want that.

    Also for customers' security, you don't want to be running vulnerable versions of IE etc.


  9. #9
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Washington D.C. area
    Has your pal considered using another OS that is bootable from a CD such as Knoppix? You sure as hell don't have to worry about them changing any OS settings if they go down this road. As for writing files to a HD, well, with a knoppix disk you don't even need a hard drive in the box!

    Anyway, just a thought.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  10. #10
    Senior Member
    Join Date
    Apr 2004
    I think that thehorse13 idea was the best. Take Knoppix cd, rip off all stuff u dont wanna. configure it to just run the browser, activate linux firewall to block everything, and reburn a new customized linux. leave hard disk as"work area", since the browser will sometime need it. to clean work area, just reboot linux -- of course u have inserted the "clean script" as a boot phase of it.
    I just have one issue: and if the guy bring his own cd and boot from it? how do we stop that behavior?
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts