Chapter 4: User Restrictions
The User Restrictions tool allows you to restrict user actions. By default, users who have limited accounts cannot install software or hardware, but can run programs they download or bring with them on a USB drive—potentially causing problems on the computer. With the User Restrictions tool, you can define restrictions for Microsoft® Internet Explorer, Microsoft Office, the Microsoft Windows® XP operating system, the Start menu, and specify what software is permitted to run.
You must ensure the user account being restricted is logged off before applying restrictions. Fast user switching cannot be used to shuttle between the Toolkit administrator’s account and the restricted account.
On This Page
Restrict a Local User Profile
Locking a Profile
Recommended Restrictions for Shared Accounts
Restrict a Local User Profile
You can use the User Restrictions tool to restrict and lock user profiles to prevent tampering with the computer. This section describes a typical user restriction scenario.
The Select a Profile to Restrict dialog box shows all user accounts configured on the shared computer, including those that are disabled. It will only allow you to select accounts for which user profiles exist.
To restrict a local user profile
Log on as the Toolkit administrator.
Click Start, point to All Programs, point to Microsoft Shared Computer Toolkit, and then click User Restrictions. Alternatively, you can click the Open User Restrictions link in Step 5 of Getting Started. A shortcut to User Restrictions is also included in the Quick access section near the top of the Getting Started window.
Click Select a Profile.
In the Select a Profile to Restrict dialog box, click the user profile that you want to restrict.
Select the Lock this profile check box to prevent users from being able to change settings while logged on with the user account. You can read more about locking profiles in the “Locking a Profile” section in this chapter.
All Recommended Restrictions for Shared Accounts must be used if you want to prevent user tampering with the computer. Individual restrictions will be insufficient.
Select the Recommended Restrictions for Shared Accounts check box. This enables the most important restrictions. You can read a complete description of the settings in the “Recommended Restrictions for Shared Accounts” section of this chapter.
In the General Settings section, type in the default home page, a proxy server (if necessary), and any applicable proxy exceptions.
In the Session Timers section, set limits on the number of minutes the user can use the computer or be idle before a forced logoff. You can also choose to leave these options blank.
Click Select Drives to Restrict and then restrict all of the drive letters to which the user should not have access. Microsoft highly recommends restricting access to the Windows partition where Windows and programs are installed (typically the C: drive).
Click Apply to apply the selected restrictions to the user profile and continue working with the User Restrictions tool or click OK to apply the selected restrictions to the user profile and close the User Restrictions tool.
If you plan to restrict access to the C: drive, replace any Windows Explorer shortcuts with My Computer shortcuts in the user’s Start Menu to avoid error messages. By default, Windows Explorer attempts to display profile folders, which are located on the C: drive.
Figure 4.1 The main screen of the User Restrictions tool
Some computer environments allow customers to use administrative accounts. This is not a recommended practice, but it can be improved upon. For more information about this topic, see the "Restrict a Shared Administrative Account" section in Chapter 9, “Advanced Scenarios.”
To get started, click Select a Profile and then, in the Select a Profile to Restrict dialog box, click the user profile that you want to restrict.
Locked user profile folders are renamed from \Documents and Settings\user name to \Documents and Settings\user name.Orig. Use this new folder name to locate Start menu icons after you lock the user profile.
In the General Settings section of the User Restrictions tool, you can define the following settings:
Home Page. This setting configures Internet Explorer to use a particular home page.
Proxy. You can specify an address for a proxy server—a server that provides Internet access (and often content-filtering services) to the computer.
Proxy Exceptions. You can specify sites or domains that bypass the configured proxy server. You can use this setting to allow certain sites to be visited even when restrictions do not allow general Internet access. This topic is covered in more detail in the “Use Simple Site Filtering to Control Internet Access” section of Chapter 9, "Advanced Scenarios."
Session Timers. You can configure two time restrictions to apply to users:
Log off after __ minutes of use. This setting specifies how long users can use the computer before they are logged off automatically, after a pop-up warning.
Log off after __ minutes idle. This setting specifies how long users can be idle or inactive before they are logged off automatically, after a 15 second warning.
Restrict Drives in My Computer. When you click the Select Drives to Restrict button, a dialog opens in which you can specify one or more drives to which this user is prevented from accessing.
Lock this profile.** **This setting prevents users from making permanent changes to the user profile when they are logged on.
Restart at Logoff. This setting forces Windows to restart when a user logs off of the selected profile. This setting is for use with Windows Disk Protection.
Locking a Profile
The Lock this profile setting prevents people from being able to make permanent changes to the user profile when they are logged on. This setting is useful for user profiles that are shared by multiple people. If you select this check box, it will not take effect until you click OK or Apply.
When a profile is locked, files that Windows generally stores on the user’s behalf (typically in the Documents and Settings\user name folder) are not available when the next user logs on. Locked profiles increase the privacy of users and make keeping a clean, standardized desktop much easier for operators of shared computers.
The following are items that are not kept between logons when a profile is locked:
Internet history and cookies
Files stored on the desktop
Changes to program settings
Start menu changes
Recommended Restrictions for Shared Accounts
Because many of these restrictions work together to provide a more secure environment for shared accounts, it is better to enable all the recommended restrictions at once. For example, Windows XP Home Edition allows users to change passwords if they have access to Control Panel. This means you must use both the Prevent password changes restriction and the Remove Control Panel icon restrictions to effectively restrict password changes. Similarly, Software Restrictions provide an important security measure that prevents users from running unauthorized programs that can be used to bypass other restrictions.
Clearing any recommended restrictions may have adverse, unintended effects and should only be done with extensive testing to ensure your environment does not become significantly less secure.
Start Menu Restrictions
In the User Restrictions tool, click the Start Menu Restrictions heading to expand the entire list of restrictions that you can configure for the Start menu. The following list describes the Start Menu Restrictions:
Prevent right-click in the Start menu.** **Prevents the user from accessing shortcut menus by right-clicking on items in the Start menu.
Force the Classic Start Menu (better for shared accounts).** **The Classic Start Menu makes it easier for you to configure the programs available to a user on the Start menu.
Remove Control Panel, Printer, and Network Settings from Classic Start Menu. Removes these icons from the Start menu to hide configuration tools from restricted users.
Remove My Documents icon.** **Prevents users from accessing the My Documents folder through the icon on the Start menu to promote privacy between multiple users.
Remove My Recent Documents icon. Prevents users from accessing recently opened programs through the icon on the Start menu. This helps to ensure that users cannot access programs to which they are denied access and protects the privacy of previous users.
Remove My Pictures icon. Prevents users from accessing the My Pictures folder through the icon on the Start menu.
Remove My Music icon. Prevents users from accessing the My Music folder through the icon on the Start menu.
Remove Favorites icon. Prevents users from accessing the Favorites folder through the icon on the Start menu. This helps to prevent unwanted access to the Internet.
Remove My Network Places icon. Prevents users from accessing My Network Places through the icon on the Start menu, helping to prevent viewing shortcuts to other computers, printers, and network resources that My Network Places displays.
Remove Control Panel icon. Prevents users from accessing the tools in Control Panel through the icon on the Start menu.
Remove Set Program Access and Defaults icon. Removes the Set Program Access and Defaults icon.
Remove Connect To icon. Prevents users from connecting to network resources through the icon on the Start menu.
Remove Printers and Faxes icon.** **Prevents users from accessing the Printers and Faxes window through the icon on the Start menu.
Remove Search icon. Prevents users from using the Search tool through the icon on the Start menu to locate folders, files, and network resources to which they should not have access.
Remove Run icon. Prevents users from using the Run dialog box to issue commands or start programs.
Remove Frequently Used Programs list. Prevents the Start menu from displaying frequently-used programs.
Remove Shut Down button. Prevents users from turning off or restarting the computer through the icon on the Start menu.
Many of the Start Menu Restrictions remove the icon for a folder or program from the Start menu, but do not otherwise prevent access to the folder or program. For this reason, it is important that you use all recommended restrictions in the User Restrictions tool to provide the best possible combination of restrictions.
General Windows XP Restrictions
The following list describes the General Windows XP Restrictions:
Prevent right-click in Windows Explorer. Disables the shortcut menu that appears when a user right-clicks an object in the Windows environment.
Prevent AutoPlay on CD, DVD, and USB drives. Prevents Windows from automatically displaying options (or taking particular action) when a user inserts removable media. Digital entertainment media such as songs and movies will still auto play with this setting enabled.
Remove the Recycle Bin (to help ensure privacy between users). Helps to ensure that when a user deletes a file, subsequent users cannot access the file.
Prevent access to some Windows Explorer features (such as Search). Disables searching and prevents the user from customizing toolbars and Folder Options. In addition, the My Documents folder is hidden from the left pane.
Prevent access to the taskbar. Prevents access to the Windows taskbar.
Prevent access to the command prompt. Prevents users from accessing folders, files, and programs from the Windows command prompt.
Prevent access to the Registry Editor. Prevents users from accessing the built-in tools that allow them to modify the Registry.
Prevent access to Task Manager. Prevents users from accessing Task Manager, a utility that you can use to stop and start programs and processes, and shut down or restart the computer.
Prevent access to Microsoft Management Console utilities. Prevents users from using the MMC console to load snap-ins that can be used to alter the Windows environment.
Prevent users from adding or removing printers. Prevents users from adding or removing printers to preserve system configuration.
Prevent users from locking the computer. Prevents users from being able to lock the** **computer to deny access to other users.
Prevent password changes (also requires Control Panel to be removed). Prevents users from changing the password associated with the user account with which they are logged on.
Internet Explorer Restrictions
The following list describes the Internet Explorer Restrictions:
Prevent right-click in Internet Explorer. Prevents users from being able to perform advanced activities on Web content in Internet Explorer by right-clicking items. Some types of content can still be right-clicked, such as Macromedia Flash objects.
Prevent access to some Internet Explorer menu choices (such as Internet Options). Prevents users from accessing certain Internet Explorer menu commands, such as Internet Options, that can be used to modify Internet Explorer configuration.
Prevent access to some Internet Explorer toolbar buttons (such as Search). Prevents users from accessing certain toolbar buttons, such as History, Search, and News. This prevents users from bypassing access controls.
Microsoft Office Restrictions
You can use the User Restrictions tool to set restrictions that apply to Microsoft Office XP, and 2003. Some of these restrictions also apply to Microsoft Office 2000. The following list describes the Microsoft Office Restrictions:
Prevent use of Visual Basic for Applications (VBA) in Office XP/2003. Prevents users from accessing VBA tools in Office XP and Office 2003 programs. (Does not work on Office 2000.)
Disable macro shortcut keys. Prevents users from running macros using shortcut keys in Office programs.
Disable Tools | Macro menu items. Prevents users from accessing macro commands in Office programs.
Disable Tools | Add-ins menu items. Prevents users from enabling and disabling add-in programs in Office programs.
Disable the Web toolbar. Prevents users from enabling the Web toolbar in Office programs and being able to view files and folders on restricted drives.** **
Disable Detect and Repair from Help menu. Prevents users from running the Detect and Repair command in Office programs.
Prevent changes to Clip Organizer contents in Office XP/2003. Prevents users from importing or deleting clips in the Clip Organizer in Office XP and Office 2003 programs. (Does not work on Office 2000.)
Software Restrictions provide important security settings that can help you restrict system tools and downloaded software from running. For increased security, ensure that both of these restrictions are selected. If these restrictions are not selected, users may find ways to bypass other restrictions set using the Toolkit. For example, a limited user can download programs that ignore restrictions; enabling them to edit the registry, access restricted drives, and even the use the command prompt even when restricted from doing so.
Some games (such as Microsoft Halo® and Activision Call of Duty) and other programs that use copy protection do not work properly when Software Restrictions are selected. If you use these games, you cannot also use Software Restrictions. Keep in mind that turning off Software Restrictions significantly weakens the security of your computer.
The following list describes the restrictions within the Software Restrictions list:
Only allow software in the Program Files and Windows folders to run. Prevents users from being able to run programs that are not in the Program Files folder or the Windows path, such as downloaded programs or programs on USB Drives. Shortcuts from any location will work if they point to software in the Program Files and Windows folders. Executables cannot be placed on a restricted Start menu or desktop; only shortcuts to allowed software will work from these locations.
Prevent System Tools and some management tools from running. Blocks system tools such as Disk Defragmenter from running.
The following list describes the restrictions within the Optional Restrictions list:
Additional Start Menu Restrictions
Prevent programs from the All Users folder from appearing on the Start menu. This setting prevents any icons located in the All Users Start menu folder from displaying in the user’s Start menu.
Preventing All Users menu items from displaying will block any icons placed in All Users, either by the Toolkit or by other Windows programs, from displaying on limited users’ Start menus. Ensure icons users will need are copied from the All Users Start menu folder to the Start menu folder for the restricted user.
Remove Help and Support icon. Prevents users from accessing the Help and Support window through the icon on the Start menu. Many help pages provide shortcut access to system tools and locations.
Additional General Windows XP Restrictions
Remove Shared Documents from My Computer. This setting prevents unauthorized sharing of documents between users and protects user privacy.** **
Remove CD and DVD burning features. Prevents users from using the built-in features of Windows XP to copy information to a writable CD or DVD.
Disable keyboard shortcuts that use the Windows logo key. Prevents users from using shortcuts to access unauthorized menus or programs (such as Windows logo key + E to start Windows Explorer).
Additional Internet Explorer Restrictions
Prevent Internet access from Internet Explorer. This setting prevents the user from accessing the Internet with any programs that use the Internet Explorer proxy settings. When you enable this restriction, the Proxy setting is automatically configured as NoInternetAccess.** **
Prevent printing from Internet Explorer. This setting prevents users from printing from Internet Explorer.
Additional Software Restrictions
Prevent Windows Messenger and MSN Messenger from running. This setting prevents the user from being able to use Windows Messenger or MSN Messenger. Note that this setting prevents users from running Windows Messenger directly from its icon, but does not prevent users from running Messenger from a Web-based interface like MSN Web Messenger. To prevent access to a Web based service, you will need to add the URL of the service to the blocked URL list in Internet Explorer.
Restrict Notepad and WordPad (recommended for Restricted Administrators). This setting restricts the two major text-editing tools used by administrators to edit batch files and scripts in Windows XP. This setting can be used to help prevent a restricted administrator account from modifying scripts, including those provided with the Shared Computer Toolkit.
Prevent Microsoft Office programs from running. This setting prevents the user from running any Microsoft Office programs. For this setting to work properly, Microsoft Office must be installed in the default (%ProgramFiles%) location, such as C:\Program Files\Microsoft Office.