Locking Down a Windows 7 Computer

[Phatty]

First off, forgive me. I've done some digging, but I'm a Windows 7 newb and I have a lot to learn. I have a production computer meant for factory users to use and I want to have it locked down. I've been using Windows XP and the "Policy Editor" (poledit.exe) to remove access to the control panel, remove lock workstation, block the task manager, and all kinds of stuff like that.

Now, our company is rolling out Windows 7 computers and Poledit doesn't seem to work with that. I keep getting an error "Cannot connect to Registry" when I click on the user to use it.

What is the best way I can lock down ONE user on a Windows 7 stand-alone machine? I don't want to restrict EVERY user on the machine like when I log in as "administrator". I tried the "Group Policy" editor that comes with it, but it wants to change every user. Is there something else I can use? Is there a way to get Poledit to work?

Also, another problem I'm having is getting auto-logon to work. The check box to require the user to logon is unchecked but I can't check it or uncheck it and I have administrative privileges, so I don't know why I can't click there and autologon isn't working.

Any help would be appreciated.

 

[Phatty]

I did some more digging and am inching my way forward. To start, poledit will work if I'm logged on as administrator. Group Policy will work for just one user if you run the User settings while logged in as that user.

I'm still working on a few more problems, though. I've disabled just about everthing I can think of and find, BUT when you click on the Start menu, it still shows programs they can select. I don't want ANYTHING to be visible there when they press the start menu. Any ideas for that?

Also, I'm trying to put start-up items in my locked down user when I'm logged in as Administrator and I keep getting "Access Denied" errors when I try to navigate to some folders. If I'm administrator, why would there be any "Access Denied" errors? What's up with that?

 

[logicearth]

Also, I'm trying to put start-up items in my locked down user when I'm logged in as Administrator and I keep getting "Access Denied" errors when I try to navigate to some folders. If I'm administrator, why would there be any "Access Denied" errors? What's up with that?

Those folders that deny access are junction points. You need the leave them alone. See the links in my signature.

 

[Phatty]

So, no one has any ideas on how to lock down the Start menu so it's either not accessible or bare when the user clicks on it? I'm pretty close to getting this finished, but that's a big one for me.

 

[TrigZ]

Wonder if i should let the cat out of the bag? ...... You can lock down a single user with Group Policy..... From what I have found out it is only a new feature in Windows 7.
Here's the instructions to apply Group Policies to a single user.

http://www.sevenforums.com/tutorials/151415-group-policy-apply-specific-user-group.html

Open mmc.exe -> File -> Add/Remove Snap-in
Select Group Policy Object Editor -> Click Add..... Now here comes the kicker
A new window appears -> Select Browse -> Now Select the User Tab -> Select the user you wish to apply local Group Policies too -> Ok -> Finish -> Ok
Now underneath Console Root you should have

Console Root
L Local Computer\*Useraccount* Policy

Expand this and you can now edit this Users policy.... This only affects That user!

There you have it. I have not been able to find these instructions anywhere on the web.... you have seen it here FIRST!

 

[Dwarf]

Excellent. Should prove useful to those who have multiple user accounts, and want to apply different policies depending on the user.

 

[Layback Bear]

Hey Dwarf; let us know if TrigZ post works.

 

[gregrocker]

A simpler method that may not be restrictive enough is to password your Admin-level account, then enable the Guest account or a Standard User account which will restrict most changes to the OS.

This is what I do when I have guests or let someone use my computer, and I've never had anything added I didn't want.

 

[Dwarf]

Hey Dwarf; let us know if TrigZ post works.

I haven't tried it myself, but here is someone who has, and he says that it works: http://www.sevenforums.com/general-discussion/150935-local-group-policy-editor-question.html

 

[artabrahamson]

We are using Inteset Secure Lockdown software. It's the simplest way we've found to lock down Windows and allows us to have different configurations per user.

 

[pcunite]

Use software restriction policies ... easy ... very secure. After this, just make sure the user's only have limited accounts.

How to make a disallowed-by-default Software Restriction Policy