We have used deepfreeze, steady state, and cleanslate in the past. deepfreeze is expensive, steady state doesn't work with 7, and cleanslate simply breaks on a lot of computers.
I have been looking at a solution for our Lab Computers I was looking at steadierstate (Steadier State), but setup looked complicated, I have images built with pro, and it requires enterprise edition(which at least the version in my volume licensing doesnt have dvdmaker media player). I also looked at putting windows write filter for embedded windows in windows 7 pro (EWF on Windows 7 32-bit or 64-bit (Enhanced Write Filter)) but it is apparently buggy. I also looked at deploying windows thin pc for labs because it has the writefilter build in. but we found it lacked features we needed although you can install pretty much anything on it (like office) it had some .net issues.
The latest thing I have been looking at is mandatory profiles. which are more meant to be hosted on a server pulled down. you are supposed to have all the microsofty goodness to use something like this (windows server/AD) and we run Samba, plus I just want each computer to function independently wihtout outside reliance. you can use these locally (Creating a Mandatory User Profile). This would sort of combine with microsoft's promise that now you don't need to run a admin user to use windows (we will see). Mandatory profiles use a base profile to set up users where all changes to the profile are reverted. which when combined with the fact that the user is a guest should make for a pretty secure machine that a non computer science major can't trash before another re-imaging cycle comes around. the problem with mandatory profiles is that the base profile must be copied with full permissions for Everyone which means that once the intended locked down user logsin they can happily go to the mandatory base profile and start deleting things and adding things that will screw up the whole sync association. what I have found out after two days of looking at permissions is that the files do not need write access to work as a base profile they just need read access it is only the registry entries inside the ntuser.dat (changed to ntuser.man with mandatory profiles) that need full everyone permissions. so that when the user logs in and windows propagates the ntuser.man from the mandatory profile base to the user profiles ntuser.man the user can then make changes to settings. What I also discovered is that if you set read only permissions on the ntuser.man then a guest user that is logged in cannot go and load the hive and make any changes. I have been developing a single click script that will implement after I have sysprepped my maching with copyprofile=true (so that i carries over a lot of the setting that are set up with administrator) after my image is deployed and sysprep and driverpacks finish my setup automatically logs me in as administrator once to finish any addional setup. this is when I would run the script which sets up the mandatory profile, renames ntuser.dat to ntuser.man. changes the permissions to be more secure (need elaboration), creates a guest user that is mapped to the mandatory profile. and sets up that user to autologin on the next reboot. here is the script so far. I hope to get some feed back and document this a little as I test it out myself. If anyone sees any glaring holes in my Idea let me know.
the script is made with autoitv3 it needs to be compiled to run as an exe on a system that doesn't have autoit installed. my to do it to get it to a point where i might be able to distribute the compiled.exe any maybe add some user input to ask for user account name. the code executes one line at a time there is no logic. the first portion just automates a windows gui with keypresses.
getting the permissions right has been the hardest part. I tried to setup an indepedent directory that didn;t inherit permissions from users/ but that didn't work anyway I rolled it. There seem to be some inconsistencies with what i cacls does and what windows does with permission. or I am just missing something. for example these permissions work and are what is created by the first step
WinWaitActive("Select User or Group")
FileDelete ( "C:\Users\mandatory.v2\ntuser.dat" )
runwait( @COMspec & " /c icacls C:\Users\mandatory.v2 /remove everyone system administrators","",@SW_HIDE)
runwait( @COMspec & " /c net user gclab /profilepath:C:\Users\mandatory /passwordchg:no /passwordreq:no /add","",@SW_HIDE)
runwait( @COMspec & " /c net localgroup users gclab /delete","",@SW_HIDE)
runwait( @COMspec & " /c net localgroup guests gclab /add","",@SW_HIDE)
RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "DefaultUserName", "REG_SZ", "GClab")
RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "DefaultPassword", "REG_SZ", "")
RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "AutoAdminLogon", "REG_SZ", "1")
c:\users\mandatory.v2 NT AUTHORITY\SYSTEMF)
c:\users\mandatory.v2\AppData NT AUTHORITY\SYSTEMI)(F)
but when trying to copy them with icacls this is the closest I could get which should work as it grants all the same permissions but it doesn't
this is after running
icacls C:\Users\mandatory.v2 /inheritance:r
icacls C:\Users\mandatory.v2 /remove everyone
icacls C:\Users\mandatory.v2 /grant everyoneRX)
icacls C:\Users\mandatory.v2 /grant everyoneOI)(CI)(IO)(RX)
what i ended up doing was noticing the fact that the users directory has rx permissions just for the directory that don't propagate to the individual user profiles. so i just removed the permissions on the mandatory.v2 profile
icacls C:\Users\mandatory.v2 /remove everyone system administrators /c /q
and it works. this might not be the case for different setups i might have borked the permissions on users/ by playing so much with icacls.