«

I need a windows 2003 account, which could only run Notepad, nothin
more. Account should be able to read and save files only from/to onl
one certaint directory. It would be perfect that an account would se
nothing else at all, e.g. clock, start menu and so on, but this is no
necessary. Important thing is, that the user could not run any othe
program, except Notepad.

Thank you for your ideas

--
aiwe
-----------------------------------------------------------------------
aiwex's Profile: http://forums.techarena.in/member.php?userid=3565
View this thread: http://forums.techarena.in/showthread.php?t=85756

http://forums.techarena.i

aiwex wrote:

> I need a windows 2003 account, which could only run Notepad, nothing
> more.


keyword: Software Restriction Policies

> Account should be able to read and save files only from/to only

> one certaint directory.


keyword: Access Control Lists

> It would be perfect that an account would see

> nothing else at all, e.g. clock, start menu and so on, but this is not
> necessary.


This is rather impossible. You want this account at least to be able to run
the explorer shell environment, and this already allows full read access to
every location where the user has read access, as well as all relevant
system information.

damn i hoped to find some tweak sowtware where i could tick programs
that certain user can run now i see i'll have to study a lot, but a
least i know it is possible. thank yo

--
aiwe
-----------------------------------------------------------------------
aiwex's Profile: http://forums.techarena.in/member.php?userid=3565
View this thread: http://forums.techarena.in/showthread.php?t=85756

http://forums.techarena.i

aiwex wrote:

> damn i hoped to find some tweak sowtware where i could tick programs,
> that certain user can run


You don't need any tweak software, the configuration of SRP is exposed via
the local security policy MMC applet.

> now i see i'll have to study a lot,


A lot? I think the concept is quite simple: SRP is whitelist mode only
allows the programs in the whitelist plus the ones in the default list to
run. This is enforced by the kernel (specifically the function
NtLoadImage()) as well as by the user shell (specifically CreateProcess(),
CreateRemoteThread() and LoadLibraryEx()). You can enforce this to only
non-admin users. Your only worries should be vulnerable trusted programs
(because then one could possibly inject arbitrary code into the process
memory, so better keep them up-to-date) and script interpreters (because
they load and run their kind of code in their very own fashion).

As for Windows 2000, there are various third-party programs which implement
something like SRP, as for example PolicyMaker Application Security (free
for private use) and Winternals System Manager.