[WEB4LIB] Re: Controlling User Files

[Jeff Eisenberg]

Actually, there is a "semi" decent solution to locking down directories
in Office apps without having to purchase third party products like
Driveshield or WinSelect.  I tend to steer away from the 'state
restoration' solutions because it requires a full reboot after each use
which can be a little time consuming as well as expensive for licensing.

I have been designing public access workstations for about two years now
and have yet to see any library that is successful in locking down the
obvious security holes.  The reason it's difficult to lock down
directories in Office is not because of caching but because Microsoft
designed a different file open dialog box.  Here are some techniques and
solutions that I have used.  Maybe it would be helpful for you:

1.	There are two Microsoft "system" Polices regarding drives.  One
hides drives and the other denies access:
	a.	If you hide drives (fyi -- you can modify the adm files
to add additional entries for specific drives to hide), you can still
see it in the path field in the file open dialog box or if you manually
type the path in.  However, if you set the default path for something
other than the C: drive, then you manually have to enter in the path in
order to see it.  Most people don't know to do this.  Also, on Win 2K
and later, if you have only set the policy to hide drives, you can set
the full path for the users desktop (ie, c:\docs and
settings\user\desktop).  In the file open dialog box, you then only see
the desktop and my computer but not the C: drive.  It's much cleaner
this way.
	b.	If you choose to deny access in policies, then the user
can't get to the C: drive at all (or other drives you choose to deny
access to).  When you open the file open dialog, there is a quick error
regarding no access and the path defaults to "My computer".  This is
clean also, if you don't mind getting the error.  I've been looking in
to a way to get the path to default to "My Computer" to avoid the error
message but I can't find a way.  This is because "My Computer" is a
virtual drive and not a real path.  Anyone know a trick to doing this?

2.	I've seen lots of libraries that go through the trouble of
locking down the C: drive so that users can't do damage even if they
figure out how to browse it using the "file open dialog", however, they
don't take out dangerous menu items.  Using the customization features
of Office, you can remove any menu items patrons shouldn't have access
to.  It's easy to open the Vis Basic tool and run a command prompt or
any other utility you may want.  Libraries should remove uneeded menu
items and then lock them by "disabling items in user interface" in
Office policies.

3.	Finally, you can figure out which registry entries correspond to
the users toolbar and deny access to the patron account so that the
toolbar resets itself back to the original position if it's moved around
by a patron.  Most libraries I've tested, you can screw around with the
toolbar and other preference, reboot the computer, and it sticks.  By
denying access in the appropriate places in the registry, you can have
toolbars reset themselves on logout, yet give the user the freedom to
move them around duing his/her session.

Hope this is useful for any of you out there doing PACs.

Jeff Eisenberg
System Engineer
Galecia Group/Infopeople
http://www.galecia.com



-----Original Message-----
From: web4lib at webjunction.org [mailto:web4lib at webjunction.org]
On Behalf Of Jacque King
Sent: Friday, November 29, 2002 7:51 AM
To: Multiple recipients of list
Subject: [WEB4LIB] Re: Controlling User Files

Hi Andrew,

I too have come across some of the frustrations you have with trying to
lock down what directories a patron has access to.  You are right,
Office
apps are the worst culprit because they use cached settings which gives
them access to C:\Winnt even though you restricted it.  Also, hiding the
drives doesn't always work well because they are unaccessible to apps
that
may need them.  I tried hiding drives too but had a fit trying to fix
things that broke afterwards.

Here's my solution:  purchase DriveShield from Centurion Technologies at
http://www.driveshield.com/driveshield.htm -- it is relatively
inexpensive
(approx $30/license for Libraries) and it works great. DriveShield write
protects the hard drive except for a small writable space.  All file
saves
and installations are re-directed to the writable space, which is wiped
clean on re-boot. What this means is that patrons can save to the hard
drive, delete files, re-format, whatever.  Then, all you need to do is
reboot the PC and it is restored to a known good state.

When I first read about this I thought patrons would be doing all kinds
of
installations, etc. and that we would need to reboot the PCs constantly.
What we have found is that this is not at all true.  Because patrons can
save things easily, they actually do less damage then before.  Now, our
Internet stations pretty much maintain themselves.

Believe me, this has been a real time saver.  Now, I just lock down
access to the network, ability to add or delete printers, etc., but I
allow patrons to save anywhere on the hard drive.  Machines get rebooted
nightly so each morning we have a fresh machine.

We've had DriveShield installed on roughly 20 workstations for a few
months now and the machines are running smoothly.  We have over 100
public
workstations and I'm getting ready to beg for the money to install it on
all of our public machines.

Oh--you can also download a free demo!  Give it a try, I think you'll
like
it.  Also, feel free to call or write with questions.

Hope this helps,

Jacque King
Library Technical Support Specialist
Fort Collins Public Library
201 Peterson Street
Fort Collins, CO  80524
(970) 221-6716
king at julip.fcgov.com