I used to do a bit of work with some companies up north that had the same
issue. They purchased a software product called DeepFreeze which basically
reset the C drive back to the way it was at last boot up. They would image
the systems, turn on deep freeze, and the users were not able to do
anything that a simple reboot would not fix. They were also not able to
save any data on drive C - in their case an added benefit.
It may be worth looking into as an extra security setup especially in lab
situations.
Regards;
James R. Day
National Parks Service - AD Core Team
(202) 354-1464
Fax (202) 371-1549
[EMAIL PROTECTED]
|---------+---------------------------------->
| | "Steve Rochford" |
| | <[EMAIL PROTECTED]|
| | .uk> |
| | Sent by: |
| | [EMAIL PROTECTED]|
| | tivedir.org |
| | |
| | |
| | 01/12/2004 11:24 AM GMT|
| | Please respond to |
| | ActiveDir |
|---------+---------------------------------->
>------------------------------------------------------------------------------------------------------------------------------|
|
|
| To: <[EMAIL PROTECTED]>
|
| cc: (bcc: James Day/Contractor/NPS)
|
| Subject: RE: [ActiveDir] Bug in GPO?
|
>------------------------------------------------------------------------------------------------------------------------------|
I'd completely agree with this. I work in a college and we don't want the
students to (accidentally or deliberately) play with files on the C: drive
but even the tightest set of policies makes no real difference - just
typing "C:" into a file open dialog will show you the drive and typing
"desktop" into the address bar in Internet Explorer also leads to some fun
:-)
In the end it's easier to make sure that permissions are as tight as
possible so that people can't do too much damage and be prepared to
re-image the machine if they do!
Steve
From: Darren Mar-Elia [mailto:[EMAIL PROTECTED]
Sent: 31 December 2003 04:06
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Bug in GPO?
Mark-
This worked for me on XP as expected--I chose to hide the C: drive using
this policy and it was hidden in both My Computer and Explorer. One thing I
did note was that, if I enabled this policy while I had Explorer up and
running, the C: drive would only get "partially" hidden. That is, it still
appeared in the Explorer tree view but didn't in the right hand results
pane. Weird. Restarting Explorer cleared that up and C: was gone.
Just as a note, this policy is really nothing more than "shell
obfuscation". For example, even with the C: drive hidden in Explorer, there
are numerous ways the intrepid user can get to C:. For example, opening a
command shell, using the File Open dialog in any number of applications,
etc. So, even if you get it working, its not real security. I found that,
in the past, it also confused some applications, depending upon how poorly
they were written. In the end I decided to give up on the drive hiding
thing because it caused more confusion than it fixed. Just my .02.
Darren
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
