[Web4lib] Windows 7 and Public Computers

Robert Sullivan robert.g.sullivan at gmail.com
Thu May 20 11:13:04 EDT 2010 

> We've been spoiled by not having to pay for DeepFreeze or any of it's
> companions, so I'm wanting to try and stick with a free (as in beer)
> alternative.
>
> I tried for days to get local mandatory profiles (Our public computers
> aren't on a domain) working for me in 7, but I failed every time one way or
> another.
>
> The only idea I've had so far is to zip up the c:\users\[public profile]
> directory, with security and permissions, and to unzip it via login and
> startup scripts.  In _my_ testing, this seems to have worked to stop most of
> the changes, but not always everything.  I've got a few machines I just
> installed for the public that I'm waiting to see how bad they get mangled
> after a week or two.

I haven't paid close attention to this for a while - we've been using
a Steady State setup created by our consortium and are migrating to
DeepFreeze (still XP) - but we used to have a pretty secure setup
using NTFS permissions and registry modifications.

There is a lot more information out there now about this than there
was when I started working with Windows NT in the late 90s.

If I were beginning this today, I would start right off with the free
KiXtart scripting program at kixtart.org - I found it to be the
easiest way to do large-scale registry manipulation.  It has developed
a large enough following that Bob Kelly wrote a book about it:

<http://www.amazon.com/Finish-Scripting-Kixtart-Guides-Agility/dp/1932577092>

which you'll want, along with something to give you a solid
understanding of how NTFS permissions work.

Note that Windows got more finicky over time about permissions and
profiles - by the time XP came out some methods which worked in prior
versions would just disable the computer if you tried them, and it
probably got worse in Vista (which we never used).

I would say that you could probably get 80-90% secure with permissions
and registry modifications and then you would want to go with some
kind of reimaging solution.  IMHO, the amount of time you would spend
getting that last 10-20% would not be cost-effective.

In recent years my customizations have been focused less on security
and more on "quality of life" issues like automatically disabling the
XP and Google Toolbar popup blockers for certain sites (some of which
can only be done through the registry or policies).  My experiments at
home with Windows 7-64 suggest that many of the software-specific
modifications from earlier versions will still work, but I have a
feeling you may total a few machines while you're figuring out the way
to handle profiles - you'll need that reimaging tool I mentioned. :-)

I have used Acronis True Image at home and it's very nice - not sure
how it works on an organizational scale.  There are free solutions out
there, but I haven't tried them.

Hope this helps,

-- 
Bob Sullivan
Schenectady Digital History Archive
<http://www.schenectadyhistory.org/>
Schenectady County (NY) Public Library

More information about the Web4lib mailing list