Pupils accessing servers and shared folders

[faza]

Its so hard just tio remove the servers from the list so pupils cant access them or see them.

[mattx]

the pupil workstation will not be able to see the server to get things such as application and stuff.

No they won't - it depends how you have setup the apps etc.
You may have a problem with Net View - but who uses that ?

[faza]

We have a serpate apps server and the shortcuts go to that server

[richardp]

Hi,

You need to go into group policy management and edit your top level policy. Go to User Configuration / Administrative Templates / System. In the top level of System there is an option called "Don't run specified Windows applications". You need to enable this and add "explorer.exe" to the list of disallowed applications (by clicking on properties on the above item).

This stops a user from launching any program in that list but does not prevent the system process from doing so. Which obviously allows the shell to run correctly. This is not perfect but if you do this as well as prevent access as I mentioned earlier it should stop them from doing what you have described.

Richard

[faza]

Its still happening :-(

[faza]

richardp - When a user double clicks on programs explorer still opens.

[richardp]

Hello again,

it sounds to me like you have not enabled the other relevant group policy options. As BKGarry said before you cannot completely block the explorer process as it is the shell for windows and is required. I have gone through our top level default group policy and picked out what I think are all the relevant options you need to look at :

User Configuration \ Administrative Templates \ Windows Components \ Windows Explorer
Removes the Folder Options menu item from the tools menu - ENABLED
Remove File menu from windows explorer - ENABLED
Remove "Map Network Drive" and "Disconnect Network Drive" - ENABLED
Remove Search button from windows explorer - ENABLED
Hides the manage item on the windows explorer context menu - ENABLED
Hide these specified drives in My Computer - Restrict C drive only - ENABLED
No "Computers Near Me" in My Network Places - ENABLED
No "Entire Network" in My Network Places - ENABLED

User Configuration \ Administrative Templates \ Start Menu and Taskbar
Remove My Documents icon from the Start Menu - ENABLED
Remove Documents menu from Start Menu - ENABLED
Remove Network Connections from Start Menu - ENABLED
Remove Search menu from Start Menu - ENABLED
Remove Run menu from Start Menu - ENABLED
Remove Drag and Drop context menus on the Start Menu - ENABLED
Prevent changes to Taskbar and Start Menu settings - ENABLED
Remove access to the context menus for the taskbar - ENABLED
Do not use the search based method when resolving shell shortcuts - ENABLED
Do not use the tracking based method when resolving shell shortcuts - ENABLED

User Configuration \ Administrative Templates \ Desktop
Remove My Documents icon on the desktop - ENABLED
Remove properties from the My Computer context menu - ENABLED
Hide My Network Places icon on desktop - ENABLED
Prohibit user from changing my documents path - ENABLED
Don't save settings at exit - ENABLED

User Configuration \ Administrative Templates \ Network \ Network Connections
Prohibit access to the New Connection Wizard - ENABLED

User Configuration \ Administrative Templates \ System
Prevent access to the command prompt - ENABLED
Prevent access to registry editing tools - ENABLED
Don't run specified Windows applications - ENABLED - explorer.exe

By enabling the above options my users are unable to access the network apart from through server shares mapped to drive letters in the main vb login script. Even if they do as you describe they can never get to a point where they can see the network or any icons for it. Even if they run my computer and type in a network path (such as \\servername\sharename) it returns an error message.

Again you should also be looking at your share permissions at the same time so if they do somehow manage to get to the network they will be unable to access any shares that they should not have access to anyway.

I hope some of this helps, I am no expert with AD but it seems to work for me!

Richard

[apur32]

richardp - When a user double clicks on programs explorer still opens.

We have the same problem at our school which I have just noticed today. Are the group policies given by richard work or not?

Are the students still accessing the server shares?

Thanks,

Shoaib