Seconded for Steady State, I use it a lot for this. Machine reboots at log off and resets itself - usually I just allow IE and msn messenger and a 30 minutes timeout.
On Fri, Mar 27, 2009 at 2:27 AM, Ben Nordlander <bennordlan...@gmail.com>wrote: > You might take a look at microsoft steadystae too if u do go windows. > > -BenN > > On Mar 26, 2009 9:53 AM, "Ben Scott" <mailvor...@gmail.com> wrote: > > On Thu, Mar 26, 2009 at 11:07 AM, James Rankin <kz2...@googlemail.com> > wrote: > My initial idea, in ... > I'd only use a VM if I wanted the users to be have relatively free > reign on the machine during their session -- that way I could roll it > back after. If you just want a web browser, I think it's prolly > easier to just configure a restricted user. That way they can't even > muck around with stuff *during* their session. > > I'd use something like LTSP (Linux Terminal Server Project) or > ThinStation. I'd set-up one server to push DHCP, boot files, and (if > needed) network file systems out to the clients. > > I'd use a user account on the client's that's got a mostly read-only > user home directory. (Unlike Windows, Unix will generally work even > if the user's home directory isn't owned or writable by them.) > > I think the only things that the user would *need* to be able to > write to would be /tmp/ and the browser cache directory (typically > something like $HOME/.mozilla/firefox/default/cache/). I'd suggest > having them use USB flash drives if they want to be able to write or > save files. > > If you have to provide a writable directory, just grant write to > $HOME/Desktop or something like that. And warn them their work won't > be saved between sessions. > > I'd configure conservative browser settings, and then lock them > against changes. With Firefox, this is done by changing the > user_pref() or pref() directive to lock_pref(). Possibly use a kiosk > mode configuration. > > I'd mount the home and /tmp partitions with the "noexec" option, so > if the user did manage to download a program, the system would refuse > to execute it. It should be possible to tell the auto-mounter to add > "noexec" to any USB drives as well. > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < > http://www.sunbeltsoftware.co... > > > > > > -- Gavin Wilby, Twitter: http://twitter.com/gavin_wilby GSXR Blog: http://www.stoof.co.uk ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
