Doesn't have to be... Set the partition to NFTS with localsystem having the only rights, and I think it would work fine.
You're not going to stop the truly determined, but this should stop a whole lot of them.... -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Steve Rochford [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 14, 2004 5:28 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Bug in GPO? > > > Surely that partition is then available for users to write to (unless > you make sure you lock down everything but that's where I came in!!) > > Steve > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > Sent: 14 January 2004 13:00 > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Bug in GPO? > > All you need to do is put the AV software on a different partition.... > > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Steve Rochford [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, January 14, 2004 6:43 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Bug in GPO? > > > > > > I know of deep freeze; another college near me is using it > with some > > success but they had a problem with things like virus > software updates > > > - deep freeze was wiping these out at each reboot! It's > such a common > > requirement that I'm sure there must be a way round it but I've not > > yet had time to investigate. > > > > Steve > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > > > > Sent: 12 January 2004 15:45 > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Bug in GPO? > > > > > > > > > > > > I used to do a bit of work with some companies up north > that had the > > same issue. They purchased a software product called > DeepFreeze which > > > basically reset the C drive back to the way it was at last boot up. > > They would image the systems, turn on deep freeze, and the > users were > > not able to do anything that a simple reboot would not fix. > They were > > > also not able to save any data on drive C - in their case an added > > benefit. > > > > It may be worth looking into as an extra security setup > especially in > > lab situations. > > > > Regards; > > > > James R. Day > > National Parks Service - AD Core Team > > (202) 354-1464 > > Fax (202) 371-1549 > > [EMAIL PROTECTED] > > > > > > |---------+----------------------------------> > > | | "Steve Rochford" | > > | | <[EMAIL PROTECTED]| > > | | .uk> | > > | | Sent by: | > > | | [EMAIL PROTECTED]| > > | | tivedir.org | > > | | | > > | | | > > | | 01/12/2004 11:24 AM GMT| > > | | Please respond to | > > | | ActiveDir | > > |---------+----------------------------------> > > > > >------------------------------------------------------------- > > ---------- > > -------------------------------------------------------| > > | > > | > > | To: <[EMAIL PROTECTED]> > > | > > | cc: (bcc: James Day/Contractor/NPS) > > | > > | Subject: RE: [ActiveDir] Bug in GPO? > > | > > > > >------------------------------------------------------------- > > ---------- > > -------------------------------------------------------| > > > > > > > > > > I'd completely agree with this. I work in a college and we > don't want > > the students to (accidentally or deliberately) play with > files on the > > C: > > drive but even the tightest set of policies makes no real > difference - > > > just typing "C:" into a file open dialog will show you the > drive and > > typing "desktop" into the address bar in Internet Explorer > also leads > > to some fun > > :-) > > > > In the end it's easier to make sure that permissions are as > tight as > > possible so that people can't do too much damage and be prepared to > > re-image the machine if they do! > > > > Steve > > > > From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] > > Sent: 31 December 2003 04:06 > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Bug in GPO? > > > > Mark- > > This worked for me on XP as expected--I chose to hide the C: > > drive using > > this policy and it was hidden in both My Computer and Explorer. One > > thing I did note was that, if I enabled this policy while I had > > Explorer up and running, the C: drive would only get "partially" > > hidden. That is, > > it still appeared in the Explorer tree view but didn't in the right > > hand results pane. Weird. Restarting Explorer cleared that > up and C: > > was gone. > > > > Just as a note, this policy is really nothing more than "shell > > obfuscation". For example, even with the C: drive hidden in > Explorer, > > there are numerous ways the intrepid user can get to C:. > For example, > > opening a command shell, using the File Open dialog in any > number of > > applications, etc. So, even if you get it working, its not real > > security. I found that, in the past, it also confused some > > applications, depending upon how poorly they were written. > In the end > > I decided to give up on the drive hiding thing because it > caused more > > confusion than it fixed. Just my .02. > > > > Darren > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
