Here’s a little quickie someone asked me today. Note it didn’t look like the person asking had the computers on a domain, so I gave only the simple answers.
Q: I have two illiterate users on my network and they click on everything they see. They also insist on installing random software. I can’t give them a guest account because that interferes with certain software they need to use. I would like to give them ‘computer administrator’ accounts (they’re on an XP pro machine) but still make sure they can’t infect the machine with all sorts of malware. Any suggestions? To reiterate, all I want to do is control they software they install, etc. They still need to be able to create files, have access to already installed software, etc.
A: Unfortunately, the best way to handle this situation is to bite the bullet and do exactly what you say you don’t want to: remove them from the Administrators group and put them in a limited account. No other way around it. Getting them out of the Administrators group won’t interrupt their ability to use already installed software or create files in directories they have permission to write to, but it will prevent them from installing [most] software.
I always suggest installing SiteAdvisor. It’s a free browser extension that attempts to warn you when you’re at a bad website. I like it because it passively trains users to recognize bad websites. You can also have them use OpenDNS to block access to certain classes of websites.
Re-imaging nightly is a possibility, but overkill I think. You can do it with Deep Freeze or Norton Ghost.
I know there are better solutions out there, I just didn’t have the time to remember all of them. Anyone care to help this guy out in the comments?
Thank you. I was looking for deep freeze but couldn’t remember the name. Also, there is a MS product called Steady State that might be of help but i haven’t tried it yet.
Steady State: http://www.microsoft.com/downloads/details.aspx?FamilyID=d077a52d-93e9-4b02-bd95-9d770ccdb431&displayLang=en