How to keep people from installing stuff on my computer???

Hey there,

I have recently been assigned the task of maintaining a few computers for use by the public. I work at a hotel, so they are open to all guests as well as their kids. Their primary purpose is to check email, print airline tickets, ect... Of course then we have these little bast**ds who download games, porn, and inadvertently- infect it with more than 100 spyware infections weekly.

You all know the trick where you download a "porn video" and then it says you have to download a "special codec" for it to play; or, you download a game, and then it says "your computer is infected, click here to scan for free", and in turn the "scanner" turns out to be the spyware- well, this happens constantly, and whereas I like getting a few extra hours here and there, I don't like being called on my day off because the machine is totally fubar.

I am looking for a way to restrict users from installing software, and especially software that installs randomly named *.dll files in the system32 folder, and then attaches those dlls to explorer.exe or some other system process(s). When I run spybot, or when I try to delete the offending .dll files manually, the hijacked processes immediately re-spawn the deleted file(s). I don't know exactly what this type of spyware is called, but it is a serious pain in the a**. Especially since the randomly generated filenames prevent searching online for a match. (What happened to the good old days where spyware was a single .exe file? )

I have tried setting the user's permissions for system32 to nothing, save the SYSTEM user, but that just prevented the user from logging on. I have also thoroughly been through gpedit.msc's options, but nothing I have found does the trick. I also require that the user be an administrator, since the monitoring software I use seems only to work with admin privelages.

Does anyone have any ideas? Is there any way to limit access to the Windows folder (and subfolders) and the Program Files folder so that the system can have access, but the user cannot (except for saving documents, pictures, ect... (not absolutely necessary, BTW))

Thanks in advance!

 

Oh I hope you get a solution as I have the same problem.

 

What version of Windows/what service pack is installed?

 

Pro SP2 32bit

 

I would recommend using Windows SteadyState, the link is here:

http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx

 

I would recommend using Windows SteadyState, the link is here:

http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx

 

I would suggest deepfreeze. It will allow people to do as they please then when you reboot the system is back to square one. Just make sure you install a base system so you dont have to reload everything everyday.

 

Awesome, I think I found the solution- DeepFreeze, combined with Anti-Executable...

"Deep Freeze helps eliminate workstation damage and downtime by making computer configurations indestructible. Once Deep Freeze is installed on a workstation, any changes made to the computer—regardless of whether they are accidental or malicious—are never permanent. Deep Freeze provides immediate immunity from many of the problems that plague computers today—accidental system misconfiguration, malicious software activity, and incidental system degradation."

"Anti-Executable prevents the launch or installation of any type of unlicensed or unwanted executable with a revolutionary whitelist concept. On install, Anti-Executable performs a deep scan of the computer and authorizes all programs on it using our proprietary Quintuple Verification technique. From that point on, any other executables including games, chat programs, spyware, or viruses, are deemed unauthorized and will not run or install"

This sounds like exactly what I was looking for, thanks everyone for the help.

 

I hope DeepFreeze will allow you to only use non-admin accounts for all those guest users because letting them log on to an admin account is major problem here. Those folks should not be using an admin account.

 

Well deepfreeze will supposedly restore to a default disk image daily if I want it to, so it shouldn't matter what anyone does, right? I don't want to keep people from installing respectable software, like if they need to use some proprietary business software, or, for example, certain online college courses require activex modules... I just want to stop IMs, games and porn "codecs".

Supposedly, anti-executable will let me specify what can be installed, and even if they circumvent that somehow, deepfreeze should correct it... Unless I am missing something????... Most of the users are not malicious, they are causing damage, mind you, but not intentionally- they just don't know any better. If they really wanted to be a dick, there's nothing I or anyone can do against someone of even my limited skill who's set their mind on causing problems.

I am simply looking for that ever-illusive balance between drunken-prom-date vulnerable and steel-reinforced-bunker lockdown. Hopefully the aforementioned will provide it...

Thanks again