Prevent access to share and local path


  • We have users who alternate between working at the corporate location and other remote sites. Management has asked that I make the following true. When they go off site they do not want those users to have access to any of their normal shares except a specific list. When offsite they'll be using Citrix to access internal apps.

    When offsite:
    A user cannot type path of any local or network path (c:\ or \\serv1)
    B user can access local drives on their client workstation within the applications.
    C user can see a list of mapped drives (controlled by us) that they can access
    D user cannot add their own mapped drives

    A is taken care of by the GPO Remove Run menu from Start Menu, oddly.
    B does not seem to be working as it does not show up in Computer when they try to open/save a document.
    C I can't seem to get the mapped drive to show via GPO when A method is implemented.
    D user can do this so far regardless of what I set up.

    Any ideas?

    Monday, January 28, 2013 4:14 PM


All replies

  • I would ask too in citrix's forum for that question, as you can do a lot of what you want with receiver's config. (

    For the issue;

    Install the desktop appliance lock from Citrix and block the local computer and map user drive on the TS, so the application will be able to save in a share. The user will be blocked to only the application. (or use a zero client?)

    Or with a vpn software you block only port 1494 and you use the citrix receiver, thus only port 1494 traffic pass, so both network are isolated. The application map the user share in the TS, so the user only see the application GUI.

    MCP | MCTS 70-236: Exchange Server 2007, Configuring

    Twitter - @yagmoth555 ()
    Blog: |

    Monday, January 28, 2013 4:26 PM
  • Thanks. Do you know if there's a way to block ability to map a network drive by the user but still apply mapped drives by GPO?
    Monday, January 28, 2013 4:37 PM
  • I don't see the need for that.

    If you use citrix for the offsite, you don't need GPO to restrict that. They will only see the GUI of the application, and if the VPN only allow 1494, nothing will map even if they try to map something.

    The user will see in the "save as" menu of the application all network share mapped on that TS for is username, you will have to hide the local's drive of your TS, and that all.

    With the webinterface you could even make your user work from mobile device.

    Thus, I really think it's more a issue for the citrix's forum (

    MCP | MCTS 70-236: Exchange Server 2007, Configuring

    Twitter - @yagmoth555 ()
    Blog: |

    Monday, January 28, 2013 4:47 PM