We went the reg hack route when we locked them down as users. The reason being we felt we could be a bit more secure than W2K's blanket compat security template.
The registry changes you have to make are permissions based, so you aren't adding/deleting registry keys, you are only modifying rights on existing keys. You still have to have a decent understanding of what portion of the registry you need to allow more than the read permission to the user. Remember, btw, that regedit doesn't have permissions. You have to run regedt32. As for when the next program comes out, it should be compatible with W2K security. I always have fun with vendors that don't understand why I want my users to only be users on their local machines. When it comes to security and why you should have users locked down, give the example of a user and a power user attempting to run a malevolent VBScript virus. Most likely the user will not be able to cause damage if they unintentionally attempt to run a VBScript. The power user will have quite a bit more ability to hose up their local machine. Hope that helps, Charles Carson Network Administrator Southwest Student Services 480-824-6608 -----Original Message----- From: Huntington, Debra D. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 23, 2002 1:29 PM To: NT 2000 Discussions Subject: 'Restricted/Basic' Users versus 'Power' Users We are beginning to upgrade our workstations to Windows 2000. We are actually reinstalling them as we are creating a 'ghost' image and installing it on every workstation. There is considerable debate on whether we should make all users restricted/basic users or power users. The reason this is up for debate is that we run a number of legacy problems that require power users rights to run under 2000. Here's the debate: One group says, make the registry changes that will allow the 'most' used legacy programs to run as basic users. We don't want the users installing screen savers and dancing bears on their workstations anyway. It's a huge security hole! The other group says: What are you nuts? Making registry changes to your ghost image could potentially have serious and unknown ramifications. What happens when the next patch won't install, or the next program comes out?? You don't want 'home grown' programs but are willing to accept a 'home grown' registry! What security hole, it's a local group. I'd be interested in anyone's thoughts and ideas on the subject. Debra Huntington MISD ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED] ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
