Lock down a PC

[Drunkard #1]

I need to lock down a Windows XP PC. I need to delete all web browsers, and prevent any new software from being installed. Also, I'd like to prevent any new drivers being loaded which would allow connection of cell phones via USB.

I know that I should have set up a user account separate from the administrator account, and that would have made this easier, but I didn't, and now I don't know where to start. Can I even delete IE? Do I just change the administrator password and create a user account with no privileges? But they need to be able to do backups to USB etc. This isn't easy: on the one hand, this staff member will abuse any gap (to the point of using her own cell phone as a modem, when the internet was turned off on that machine, so that she could waste time rather than working), but on the other hand, if I lock down the machine too much, I'll be called in every second day to install drivers for a new USB stick.

And before the "human rights activists" get started on how they can't live without internet, the company doesn't even have a web-filter, and yet none of the other staff abuse the equipment, and waste time when they're being paid to work. With her behaviour, she should have received formal warnings, but management isn't sure of the legal requirements, etc. They haven't needed an "Electronic equipment usage and monitoring policy" before, so none was drawn up, and now, because of one abusive employee, they don't know how to respond. They do know that, as owners of the equipment being used, they can change things like user accounts, etc, and that is what they want to do.

 

[stevovo]

A very helpful program is the group policy manager. click start -> run -> type "gpedit.msc"

Look under user configuration -> administrative templates.

There you will see many options to disable / enable different stuff on the machine. Remember to reboot to make some of the changes effective.

Note: be careful not to disable too much otherwise you wont even have access to get back to the program to disable anything.

Note 2: you will have to have a second user without admin rights to be used normally otherwise anyone will be able to open that program and change the stuff back.


On a side note. not even the above is impossible to break in. all it takes is someone to boot up the pc with a password reset disk, login to the admin account and do whatever they want. If you want to take extra precaution you can take out the cd-rom drive.

I guess it depends on how computer savvy the user is.

EDIT: just to add. I dunno about the legality of doing the above without the person's permission. I'm just giving my experience of 'locking down' a pc.

 

[kissingmybbgoodbye]

Well I think there is a bigger problem here than just the internet. If she wants to waste time instead of doing work she will do it regardless of internet access. I think the company must start looking at performance contracts and start nailing her on that (Non Performance)

 

[rrh]

Well I think there is a bigger problem here than just the internet. If she wants to waste time instead of doing work she will do it regardless of internet access. I think the company must start looking at performance contracts and start nailing her on that (Non Performance)

I agree.

I think that, by locking out a single employee, the company is aiming to get itself into a whole lot of hurt: she'll go the CCMA screaming 'discrimination' and she will most probably win ...

The wisest move - for the company - would be to speak to a labour specialist: I can't see that it is illegal to impose a company computer policy which can vary by employee job description and grade.

Then, once the policy is in place, move to nail the person

 

[Elimentals]

Even if you remove IE its so into XP's core that you can actually browse the web using the normal file browser.

As the others said fix the problem not the symptoms.

 

[riscbroker]

I need to lock down a Windows XP PC. I need to delete all web browsers, and prevent any new software from being installed. Also, I'd like to prevent any new drivers being loaded which would allow connection of cell phones via USB.

I know that I should have set up a user account separate from the administrator account, and that would have made this easier, but I didn't, and now I don't know where to start. Can I even delete IE? Do I just change the administrator password and create a user account with no privileges? But they need to be able to do backups to USB etc. This isn't easy: on the one hand, this staff member will abuse any gap (to the point of using her own cell phone as a modem, when the internet was turned off on that machine, so that she could waste time rather than working), but on the other hand, if I lock down the machine too much, I'll be called in every second day to install drivers for a new USB stick.

And before the "human rights activists" get started on how they can't live without internet, the company doesn't even have a web-filter, and yet none of the other staff abuse the equipment, and waste time when they're being paid to work. With her behaviour, she should have received formal warnings, but management isn't sure of the legal requirements, etc. They haven't needed an "Electronic equipment usage and monitoring policy" before, so none was drawn up, and now, because of one abusive employee, they don't know how to respond. They do know that, as owners of the equipment being used, they can change things like user accounts, etc, and that is what they want to do.

Look for a Microsoft app for XP called SteadyState - it's free, comprehensive and pretty simple to implement.

You can also look for X Setup, I can't really recall whether it will give you the same degree of control as SteadyState. The free version of X Setup is V6.6

 

[SBSP]

Your company should start to implement policies to protect them selves from this kind of thing.
But look here http://www.pctools.com/guides/registry/id/4/

A bunch of registry hacks to disable and enable loads of stuff.

Somewhere you will find how to block applications by their exe name. that should help you to block IE
as for drivers ect you can hide specific features with The registry.

 

[Electron1]

Windows Steady state is free and will do what you want, but does not work on Windows 7, so as long as it is XP or vista it should work.
Unfortunately it is being phased out by Micro$oft - http://support.microsoft.com/kb/2390706

You will have to google to see if it still can be downloaded.

I agree with rrh that the better approach is to create acomputer policy that addresses the issue and work from that angle.