Folks, I want to enhance my Limited User a/c security to the max but am not really sure what exactly the steps I need to take. I mainly log on as LUA with it's default setting without changing anything. So couId you show / advise me on the best way to configure my LUA so the security is to the max please. I do not surf dodgy sites but feel I just need to tighten the security further that's all. The only download I do on my LUA are to update my Firefox extensions, Update AV & Ewido security defs, save documents to LUA's documents and perform CCleaner & MRU Blaster. Please advise. Cheers Chew

Hi,
Restriction Policies for that account will be extra security.
Mrk

Thanks Mrkvonic. But where I do I find the restricted Policies to configure? Cheers Chew

Hi,
Type gpedit.msc in run.
You'll get to policies management console.
There you can configure computer or user rules.
For instance, you can prevent the changing of the homepage, running of exectuables etc. This may be a daunting task at first, but go slowly, read what each option means, and you'll get it.
To help you get started, here's a few nice ones:

Local configuration

These are GLOBAL settings

Adminstrative templates
Windows components
Internet Explorer
Security Features
Go over these and lock some of these features if you like - no changing the homepage, no changing the internet options etc.

User configuration

These are USER settings

You probably want to lock the homepage and desktop.
You probably want to prevent installation and downloads of files.

Administrative Templates
Windows Components
Internet Explorer

In the right pane you can see now
Disable the General / Security / Programs etc page - select them all, the user will have no right click option access to IE properties.

Toolbars
You might wanna disable custom toolbars?

Security Features
Mk Protocol Security Restriction
Restrict ActiveX install
Restrict file download
Local Machine Zone Lockdown Security
Protection from zone elevation

Now under Microsoft Management Console:
You might wanna see several options here - what the local user can or cannot see.

Windows Installer
You might wanna prevent removable media for source install.

Windows Update
You might wanna force it.

Under Start Menu and Taskbar
Loads of nice options, try them.

Desktop
You can prohibit changing and moving icons, desktop wallpaper, path to my documents etc.

Control Panel
You can prevent access to control panel or hide certain items from it.

System
THIS IS VERY IMPORTANT.
Prevent access to registry editing tools.
Run only / Don't run ... specific Windows applications - here you can allow only certain applications to be run. NOW BE CAREFUL. IF YOU MAKE THESE CHANGES UNDER LOCAL SETTINGS - THEY WILL AFFECT EVERY USER. MAKE THEM ONLY FOR LOCAL USER. MAKE SURE THAT ADMINISTRATOR HAS MMC.EXE ALLOWED - SO YOU CAN ACCESS AND EDIT THESE OPTIONS. IN WORST CASE, YOU WILL HAVE TO BOOT TO SAFE MODE TO MAKE CHANGES.
However, this is neat.
This option only limits Windows Explorer files.
You can still run them using cmd.exe - so you might wanna not let the local user have this. Plus this does not 'hurt' the Task Manager processes, so your drivers will load.
Turn Off Autoplay.

Additionally, there are some very nice tricks:

First, the user can see his own set of policies by typing rsop.msc in run. You can disable that. You can also disable the command (cmd) and regedit to prevent any tampering. Command lines can also get around some of the restrictions on executables (for desktop), so you might wanna consider this.
You might also want to disable the mmc.exe (the management console) for the limited user, so they cannot access and try to change anything.

For your own sake, you can use the policies to disable / enable services, shut down the messenger, prevent tracking of recently opened documents, clear page file on shutdown etc.

That's it for now.

Enjoy.

Mrk

Just to add, this is something I have started delving into and it is VERY effective, I've locked down IE, so users cannot change cookie and security settings, or install additional toolbars.

Does take a lot of time in testing to make sure things work correctly.

I totally forgot, some useful info linked from a thread I started earlier this week:

http://www.wilderssecurity.com/showpost.php?p=659918&postcount=2