How can I secure a publicly accessed PC?

I am new to security for PCs. We have a very small town public library. I need to find a way to secure the Internet. Let them use it as much as they want. Our main concern is to keep the homepage from being changed either by a user or some other program. I have founds ways to gray out the place where the user can make changes to the homepage. But, how do I keep the user from clicking "yes" if some site they visit asks them if they want to change the homepage?

Thank you.

 

well, one way could perhaps be turning off active-x, and then graying out the options menu, if you are using IE. that way the pop-up question should never even come up. but that may break the occasional site.

 

Perhaps javacools browser hijack blaster may be good for you http://www.wilderssecurity.net/bhblaster.html or Spyware Gaurd http://www.wilderssecurity.net/spywareguard.html

Also "Spybot search and destroy " has a settings to
(1) lock IE start page settings against user changes
(2) Lock IE control panel against opening from within.

http://www.safer-networking.org/index.php?lang=en&page=download
These settings are found on spybot by using the advanced mode. > Immunise>

 

I would agree, matters like spybot locking homepage wont guard against it being altered by such malware.

To be absolutely safe, turn everything off, Java,javascript/VB,activex

 

yea but a Library may require some of those settings to be active . Some times when we turn every thing off and are too paronoid we end up locking ourselves out of many resources , and some of these may ( or may not
be required by a public library .

 

if someone needs something on, they can ask an administrator/librarian to set what is necessary, or to put the site in a temporary trusted zone. but this assumes that you know the good sites from the bad. a good hosts file should help there.

 

If you are using IE with Win2k or XP you can use gpedt.msc.

Start->Run->gpedit.msc->Administrative Templates->Windows Components->Internet Explorer->"Disable Changing Home Page Settings" and set it to Enable.

IE also has a kiosk mode but it might be a little too restrictive depending on your users' needs.
http://support.microsoft.com/?kbid=154780

I also agree that java and activex should be disabled as well as file downloading.

 

Im sure there are quite a large number of sites that require java, javascript, and activex. But out of those sites, some of them are better off avoiding when using a public computer anyways. Some web based emails come to mind. I believe there was even a recent paper on hotmail being vulnerable to cross-site scripting attacks with java enabled. Not to mention certain privacy issues and what people might execute accidentally in emails. Most other "general" sites i encounter will usuaully work, but will sometimes lack certain features or not display as well with java and javascript disabled (I am a rather conservative internet surfer though). I guess there will always be that conflict between usability and security. Probably depending a lot on the users' needs and what this library would like to offer. DeepFreeze does look like a good option either way though

 

While looking at K-Meleon a while back, I ran across this site. It deals with browser security for libraries and also deals with filters and CIPA issues for libraries.
http://tln.lib.mi.us/~amutch/pro/browser/
BTW
Deep Freeze sounds good.