If I read you right they will only be accessing the website thru this
Terminal Service. If this is the case there are a few settings you
would need to set to lock down the system. It is not just IE you have
to think about.
User Configuration > Windows Components > Windows Explorer
Hide These Drives in My Computer Enabled
Restrict a,b,c,d drives only
Remove "Map Network drive and disconnect network Enabled
Remove CD Burning Features
Enabled
Remove Hardware tab
Enabled
Start Menu and Taskbar
Remove Run menu from Start Menu Enabled
Another area to look at is
http://download.microsoft.com/download/d/8/b/d8b21533-a5bf-4d46-8878-ebb
f834fc6f7/Win2003_Teminal_Server_Lockdown.doc
I found that document invaluable when I had to create a locked down TS
system.
One Item to note. Your gonna want to make the TS system part of the
domain definitely and use group policies to apply the settings as it
makes it hard to change settings once you lock it down if you do it on
the local policy.
Jeff Cothern
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Friday, August 26, 2005 6:25 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GP setting for IE lockdown
I've been tasked with the following project...
Provide access for partner company personnel to a LOB app and our
intranet via a terminal server session [1]. The IE session should allow
access to the intranet site and nothing else, no internet, no local
machine, no customization.
Plan is to create a VM with the appropriate restricted desktop access
and the LOB app. That part's ok; however, I'm having trouble finding
good info on securing IE so that it can only get to our intranet.
I can set a non-existent proxy and add our intranet to the proxy bypass
sites; that's easy enough.
What I can't remember is how to lock down IE so no one can type "c:\" or
some other folder name and get to the local file system. I tried the
NoFileURL setting under
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, but
it's not restricting the test user.
Anyone remember a good way to prevent local file system access through
IE?
A good ADM file that chokes IE to the bone would be nice, too, but I
haven't found one of those lately either.
My Google Mojo isn't working today...
Thanks!
[1] I know; running IE on a server is bad juju. That's why it's going to
be in a snapshotted VM I can wipe daily. :-) You don't want to know how
ugly the other alternatives were...
**********************
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**********************
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
