Thanks again to all who helped on my previous thread on this subject. With Search disabled, though, I have to start a new thread rather than continue the previous one.
I’ve got MSIE restricted to the sites it can visit, but I need some further restrictions.
On a computer with two profiles–one Administrator, one Limited–I need to limit the software that the Limited user can use. Is that possible? Is it possible to “uninstall” the software from one profile but leave it available to the other?
Again, we have an employee who spends all day downloading and surfing, but the other manager and I use the same software for legitimate work tasks. Can we make the Limited user profile be absolutely bare bones–Windows, Office, and virus stuff only–and requiring a password to install anything? But at the same time, on the same computer, allow the Administrator to use and download anything we want on our other profile?
Create a group for each application you wish to restrict - e.g. for Excel, create a group called Excel-Users - and apply NTFS permissions to the application (e.g. Excel.exe) such that normal users have list-only access and the Excel-Users group has Execute (RX) access and Admins have Full Control. Put everyone who needs to use Excel in the Excel-Users group. Beware of inherited permissions!
The same, but reverse: create groups for those applications you wish to block - e.g. Excel-Blocked - and put the users in the the blocking groups. Then apply NTFS permissions such that that group has the No Access permission. Be careful: this permission overrides everything else.
The second method is quicker and dirtier but the first is better practice.
As for installing stuff, if the guy only has User privs, he shouldn’t be able to install anything anyway. I believe you can lock down the CD, floppy, and USB ports via the registry, but I used a specialist app (the name escapes me) to do this as this was for a site of 1000+.
This seems like a very complete solution to my problem. With only one drawback: I have no idea what you’re talking about!
I’m not a computer person. That is, I have gobs of experience with design software, but I don’t know diddly from admin/system/windows stuff. Can I prevail upon you for a more step-by-step approach to your instructions? Thanks very very much.
You do not have a computer problem…you have an employee problem. Trying to corral employees in an XP environment that does not deal in group permissions is a PITA.
You may want to consider setting up an account with open DNS and you can put the stuff you use on a list and block everything else.
In vista this is childsplay…the parental/employee restriction tools are awesome.
I don’t have Vista. I work in a video store, which makes basically zero profit. So we’re pretty basic. And of course this is an employee problem, but for personal reasons of my boss’s, firing the employee is not an option.
So for someone for whom the phrases “create a group” and “setting up an account with open DNS” have as much meaning as “λεξικό δεν βρήκε καμία λέξη,” can someone walk me through this one? Thanks again.
its a free service…and fairly simple to setup even for someone with minimal pc skills.
One of the features is something called “whitelisting” which only allows access to a set of specified websites/domains. So the site for a parts vendor for example can be whitelisted/allowed while everything else is blocked.
Since this is working with Windows security and you have the ability to comprehensively muck things up, I suggest you get in a professional to do this for you. Or simply fire the lazy bugger.