| The policy editor can be used to restrict
users or a group of users, i.e., operators, from accessing such
items as the control panel, the "Find" or "Run" selections under
the "Start" menu, access to the desktop, etc. Essentially,
everything can be disabled except for the application that you want
to run, i.e., citect32.exe and its peripheral executables if any.
Procedure:
- Purchase the Microsoft Windows NT Workstation Resource Kit
(~$50.00).
- Logged in with administrator privileges, from the CD, copy the
poledit.exe, poledit.hlp, poledit.cnt files from the
\apps\clients\i386 directory to the \winnt directory (installing
the resource kit does not install these files).
- From the CD, copy the common.adm, windows.adm, winnt.adm files
from the \apps\clients\i386 directory to the \winnt\inf directory.
If the \winnt\inf directory is not seen, be sure to enable "View
all files" under the View-Options menu in Explorer.
- Right mouse click on the c:\winnt\system32\repl\imports\scripts
directory, select the sharing tab and select the "Shared As" radio
button. Change the share name to "Netlogon" (without the quotes).
Select the Permissions button and change the access of "Everyone"
from "Full Control" to "Read" and add the Administrators group with
an access of "Full Control".
- From the User Manager, create a user that will be a member of
the user group, i.e., operator.
- Run the Policy Editor and create a new policy. From the edit
menu add a new user and browse to select the user created in step 5
(operator).
- Double click on the "Default Computer" icon and open the
Network branch and the branch below it, System policies update.
Place a check mark in the Remote Update box and select "Automatic"
for an update mode, located at the bottom of the window.
- Double click on the "Operator" icon to open up its policy
restrictions. Start disabling access for this operator by checking
off the following items:
- Shell - Restrictions - (put a check mark in all the boxes)
- System - Restrictions - Disable Registry editing tools
- Windows NT Shell - Custom Folders - Hide Start menu
subfolders
- Windows NT Shell - Restrictions - Remove common program groups
from Start menu
- Save the policy file as NTConfig.pol to the \
winnt\system32\repl\imports\scripts directory
- If a new user was added, logout as administrator and login as
the new user so that NT can create the profile directory for the
new user. Re-login as an administrator to continue.
- Since the operator does not need to run any programs except for
Citect, delete all the files and folders, except the Startup
folder, under the "Programs" directory for that user. That is,
delete what is below the c:\winnt\profiles\operator\start
menu\programs directory, (assuming the user name was
operator).
- To prevent the operator from accessing the Task Manager via a
Ctrl-Alt-Delete you can either delete the program, Taskmgr, located
in \winnt\system32 or restrict its access to a higher
group/user.
- Place a shortcut for the Citect32.exe file in the user's
startup directory (c:\winnt\profiles\operator\start
menu\programs\startup) for it to run automatically once the user
logs in, or install Citect as a service (see knowledge base Q1865)
so that users can log in and out without having to stop
Citect.
- Re-login as the operator and you will not have any access
except for the Citect run time program.
Note: The policy editor can be setup so that a user can run only
one program by checking the box under System\Restrictions\'Run only
allowed Windows applications'. The problem with using this is
trying to find all the programs that are needed for Citect and
Windows NT to run for that particular user.
|
