Building safe environment for coding
This posting could go in one of many of the forums, but this one may have the best-informed readers. I hope.
I've spent much of the last few weeks trying - and, on the whole, failing - to get an environment together allowing older students to program i.e. create and run arbitrary .exes without it being too easy for them to trash the computer or network. I've gone through a few iterations:
1) Use a separate partition. I used MDT 2010 to apply a custom image to a second partition on our Win7 clients. The custom image was off-domain and I'd blocked access to the 'main' partition and applied other restrictions using local policy. The end of the custom image deployment task sequence ran bcdedit to give the new partition a distinctive name. A startup script on the school domain made the currently-running OS the default. In other words after installing the custom image all I had to do to make that image non-default was to force a boot into the main partition then a GPO would make sure that that became the default image.
This worked, and performed, well, but then MDT 2012 came along and I can no longer get it to install into a second partition without trashing the main one. I'm sure it can't be that hard to do, playing with the diskpart script, but I gave up.
I tried investigation MDT-created VHds, but gave up on that one, too.
so, plan 2) Use virtual machines
I built an off-domain image into a VM and tried that. the first discovery was that MS Virtual PC needs virtualisation support, and the systems in the ICT rooms lacked it. OK, let's try VirtualBox. Next problem: not enough memory. OK, added a few gig to each device. This worked for a few weeks until Windows needed to reactivate itself against our KMS server. It failed. My assumption was that it was because the VMs were all cloned. I didn't want to push a newly-syspreped image out as the students would get lumbered with the OOBE, so that meant try something else.
3) Push out an empty VirtualBox machine and disk, then perform an MDT build into it. The image is on-domain but disposable, as a VM, and access to almost everything has been blocked by: blocking GPO inheritance; loopback processing and new GPOs where needed. The problems: PXE boot and network access is slow. PXE boot fails when there's even the slightest hint of a load. It took me from 4.30 to midnight to install the VMs in 9 machines. That leaves me 33 to do. Worse, it takes the students forever to log on twice (once into the physical; once into the virtual). In fact it's not usable.
So now I need plan number 4, but don't yet know what it is.
What do (would) you do?