how, if possible, do i keep people from setting the home page to whatever they want? there is no group policy setting (someone suggested that already), i can't figure out a good registry tweak. i've disabled Tools->Internet Options, but that doesn't keep them from clicking on the "Make <insert webpage here> my home page!" buttons, or websites that use scripts to rest home page. also, even though i have downloads disabled, installing programs disabled, and every toolbar/customize option and every menu option disabled, someone was able to install the hideous Yahoo Companion Toolbar. HOW??

in short, i need to be able to lock these computers down like library computers. anyone got a good .reg file for that? i'm 95% there, but there's a few things that keep getting through.

HJ

Hi,
<blockquote><font class="small">In reply to:</font><hr>

how, if possible, do i keep people from setting the home page to whatever they want?

<hr></blockquote>
I believe Spybot S&D will allow you to do this under its' immunize section. "Lock IE start page setting against user changes"

Hope this helps.

Group policy does have this restriction that you can use. You can find it here. User Configuration -&gt; Windows Settings -&gt; Internet Explorer Interface -&gt; URLs -&gt; Important URLs. In there you can set the home page among other things. This will keep you from having to install different software.

Let us know how you are coming with your lockdown task and how you accomplished some things. I would be interested in knowing for my reference.

The Group Policy solution didn't work at all. Web-based Scripts still override my settings. The Group Policy prevents -local- changes (someone actually sitting at the keyboard trying to access the home page settings), it doesn't NOT prevent online script-based changes.

I did, however, find a number of group policy settings i thought might be useful for other lockdowns. however, when i applied them, i realized that they apply to the ENTIRE MACHINE, not just the user account (meaning the administrator account gets locked out too). this is not acceptable of course, so i reset the entire group policy back to "not configured". then my trouble REALLY began. logging back into the user account, I realized that 95% of the registry tweaks i have performed over the past few weeks were GONE (thankfully i've only been doing this on ONE of the machines; i'm waiting to get it right before doing it on the rest of them).

with all the lockdown tweaks gone, i sighed heavily and re-entered them (manually i might add, i haven't made a script for it yet, and even if i had, it would simply be a script for changing existing DWORD values, not for creating them).

however, now for some reason, the very same registry tweaks that have worked so well (many of them direct from this website) in the past, DO NOT WORK AT ALL. i suspect the group policy fiasco to be the culprit.

anyone have any ideas??????

HJ

okay, i'm some kind of genius i guess...:)

not only did i (in the past 20 minutes since my last post) fix the Group Policy interference problem (registry wasn't applying changes for some reason, fixed by loading a spare registry i keep around), but i also fixed the home page/toolbar problem all at once.

the way scripts load a new homepage is by changing the default homepage entry in your registry. even if your user has no registry editing priveledges, this still works because IE is a trusted source. (i couldn't believe this either, but debug's process tree proved it correct). the way to restrict it is as follows:
goto HKEY_CURRENT_USER\Software\Policies\Microsoft\Inte rnet Explorer\Control Panel and create a DWORD value: {Homepage} and set it to 1. (this tweak is in the Winguides database at http://www.winguides.com/registry/display.php/537/)
You HAVE to have this value itself, you can't simply disable the Tools-&gt;Internet Options menu as i had done before.

2nd problem: Users installing toolbars even though they have no download/install priveledges. again, IE is a trusted source and allows -certain- things like the Yahoo Companion Toolbar to be downloaded and installed, even though the user has absolutely NO download or install priveledges. IE lets the install occur as a SYSTEM process, not a USER process. (boggles the mind, doesn't it?)

Easy way to fix: you know how you can tweak your registry not to allow autorun features of CD-ROMs?
well, modify that tweak slightly so that autorun doesn't work on ANY drive, and suddenly the install program for toolbars and other crap just doesn't run. ever. and it's REALLY funny to watch too: Yahoo for instance says: Congradulations! You have successfully installed the Yahoo Companion Toolbar!
But you haven't....hehe

am i the only sys-admin who takes some perverse joy in imagining the looks on users faces when they realize they can't do all the stupid computer-wrecking they want to do?

HJ

You are definately not the only one. When I started implimenting all the security restrictions around the school I loved watching the students come into my lab and get all frustrated when they couldnt install chat programs and all that other crap.

These tweaks are excellent and I cant wait to try the one to stop the toolbars. Do you remember where you found the tweak to turn off autorun features and what you did differently?

You arent by chance on an AD Domain are you? If you are, you can set the group policies on the server to restrict the user and not the entire computer.

No, unfortunately my system requirements don't merit the use of Active Directory. we don't even have windows 2000 server. it's a small network.

Re: autorun tweaks. i did them manually with the CID tree, but after looking through Winguides, i found something similar that will work just as well (i tried it)
http://www.winguides.com/registry/display.php/156/
This tweak is normally for removable media like CD-ROMs and Floppy Drives, but if you set it for a hard drive, it will disable web-based, autorunning install programs. remember to clean out your Temp directory every now and then, because you will likely find alot of install programs sitting there doing nothing...hahaha
also: http://www.winguides.com/registry/display.php/1142/
this is a more comprehensive version on the above tweak.

have fun!

HJ