One of my many jobs is maintaining several computer labs here at the University. We have them pretty well locked down with a program called “fortres” which protects many things.
One thing I cannot protect is the Internet Explorer Home Page. When the machines are in Fortres mode, one cannot access the menu bar, but they can, if they’re at a site that allows it, can change the home page by clicking a link that states “Click here to make xxx.com your homepage!” The result is a lot of work changing the homepage back to something that is not porn or aol.com.
I even protected the registry entry but Explorer must be able to get past that. Is there any way to absolutely prevent that registry entry from being changed?
I don’t have a solution, but I do have a workaround. For the labs I’ve helped maintain, I write a little app that does all the local maintenance tasks like resetting registry entries, wiping temp files, wiping user filespace, resetting wallpaper, turning off screensaver, etc. I keep the app on the fileserver all the machines are attached to, and run it periodically on each machine (as a chron job at 6 am or on startup, depending on whether the lab protocol called for shutting down machines at night).
This doesn’t really fix the problem that users are able to do things they’re not supposed to do, but it makes cleanup easy.