What should I use? Steady State, Group Policies, or What? RRS feed

  • Question

  • I am trying to lock down XP stations on a Windows 2003 domain at the office.  The stations will be used by untrusted very short term contractors to complete some necessary work tasks.

    My goal:

    Lock the desktop down so that they users cannot do the following:
    • Install applications, viruses, malware, etc.
    • Browse to bad sites on the internet, in fact I want them going to one or two sites only.
    • Unable to remove files from the premises - via USB, Internet, FTP, HTTP, you name it.
    The users will each have a unique login for auditing purposes.  Each login should have the same shortcuts available on the desktop, no more no less.  Each user should have access to one mapped network drive and certain directories in %os%\program files\.  

    What I have done so far:  Installed the .adm into Active Directory group policy and defined all of the policies I thought I needed.  When I could not create the same desktop and start menu for every user I created a mandatory roaming profile but the roaming profile seems to counteract the Group policies.

    Where I am stuck:  Steadystate seems to local and user specific.  I haven't been able to apply it to multiple users or easily deploy it to 30+ computers.  Group policy and mandatory profiles seem to be fighting against each other.  If someone can tell me how to do the following I will be very grateful:
    1. Get 6 shortcuts on the desktop that can access local applications for any user in the Contractors OU.
    2. Map a drive via login script or other method without enabling the command prompt. 
    3. Walling off the C-drive so that no changes can be made except to the program file folder that I specify.
    4. Limit internet access to the two or three sites I specify.
    5. Limit downloading or uploading of information to the computer for any user other than prescribed work purpose.
    I hope this message wasn't too incoherent and made it into the right forum.

    Wednesday, March 17, 2010 9:26 PM


  • Hi Rbanres, I have some information for point 3 to 5 as they are in the boundary of Windows SteadyState.

    3. If you want to protect system drive, you will need to install Windows SteadyState on every computer with Windows Disk Protection turned on. However, please note, we cannot make exception in WDP, that is we cannot exclude certain folder from system drive once you have turned WDP on.

    4. In the adm, you can check the following entry

    All Windows SteadyState Restrictions | Optional Restrictions | Additional Internet Explorer Restrictions | Prevent Internet Access from Internet Explorer

    5. This restriction may require to install Windows SteadyState as the restriction "Prevent write access to USB storage devices" appears under Set Computer Restrictions which is not available in the adm.

    Hope this helps!

    Sean Zhu - MSFT
    Friday, March 19, 2010 6:20 AM