David Litchfield Wrote: >This policy can be broken in a matter of minutes: >On running MS Word a user clicks on File on the Menu Bar, and goes down >to Open. They are shown a list of directories and files. The user could >try to right click on a folder and go down to Explore but the right- >click menu has been disabled; So instead they drag a folder to the Start >Button on the Taskbar and release. ..... --------- This can be avoided by selecting a custom start menu location from the network where they do not have write access. This also aids in overall remote desktop management. --------- >This will place a shortcut to that folder on the Start Menu. This >shortcut will be stored in their profile directory. On clicking on it, >Explorer is opened up, which not normally have direct (ie non-shell) >access to. The default WINNT directory has been hidden from view by the >system policy - however, by clicking on Tools on the Explorer Menu Bar --------- The "tools" and "view" can be restricted via policies as well. End of that particular scenario. --------- >Even if .reg has be dis-associated from Regedit.exe, by default a normal >user has the relevant permissions to re-associate it. This is done from >the Folder Options option found under View on the Explorer Menu Bar. --------- The "view" can be restricted via policies as well. --------- >To stop this from happening the Administrator should only give Admins >access to regedit.exe and regedt32.exe using NTFS file permissions and >deny access to everyone else. --------- I agree. --------- >As can be seen, even a restrictive but at least useable System Policy >can thus be broken. It is not simply enough to create a policy. A lot >more work needs to go into this if Admins wish to limit and restrict what >their users can and cannot do. --------- I disagree, a well designed policy can very effectively restrict typical end-users. It will be very difficult to successfully manage Windows2000 without intimate knowledge of system policies. --------- Collin Chaffin
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:36:30 PDT