C:\ Drive Permissions etc

[Silvor]

Hey All,

We're having a few problems with our students spending all of their lesson time, browsing through system32, windows etc - looking for little things they can run (like command) to cause problems. They've not found anything yet and they usually end up giving in and playing spider.exe (har...har...ha) - however I'm wondering if any other schools have applied restrictions to the C drive?

We need the students to obviously be able to read/execute - due to some programs from there needing to be run; however we don't actually want them in the C drive, as there is nothing they'll need in there. (List Folder Contents restriction perhaps?)

Does anyone have any ideas/solutions that work and if so can you tell me how you achieved it? We've got ideas ourselves, we're just trying to establish what works best.

I'd appreciate any replies. I have had a search around the forums but couldn't find anything as to what I'm after.

Cheers guys, and hope you are all well!

[DSapseid]

You can set a group policy to hide the C Drive in my computer and also prevent access to it. This will still let them use apps etc but if they try and access it they get an error message.

EDIT:

Are located here

User Config>Admin Templates>Windows Explorer

There is one thats called "hide specified drives" and one called "prevent access to drives" just edit these and set C to be hidden.

[monty]

Yep, group policy will do it for you. You can also use group policy to add in particular permissions. i.e. some programs need to allow students to write to the c: you can set permission to apply just to that folder in
Computer Config>Windows settings>Security settings>file system

[rush_tech]

Yep, group policy will do it for you. You can also use group policy to add in particular permissions. i.e. some programs need to allow students to write to the c: you can set permission to apply just to that folder in
Computer Config>Windows settings>Security settings>file system

Thats how we do it here

[pallen]

Same, no access to C. Actually their only access is home and a public folder. Permissions required by a program are added to the folders on the C drive to allow students to use some software.

[srochford]

Just to stir things, "why bother" :-)

Mike's original post says that they can't do any harm and I think this is important - make sure that permissions are set so that they can't delete ntdll.dll etc but then let them explore. Many will get bored quickly - there's nothing exciting to do - others will get very excited about the "naughty" things they can do and you will know that they're not doing any harm.

If you do lock it down, all that happens is that they'll look for other ways of getting at the C: drive folders (group policy blocks the explorer shell functions from what I remember but I don't think it stops someone writing a simple VB program to explore the drive)

[cookie_monster]

"(group policy blocks the explorer shell functions from what I remember but I don't think it stops someone writing a simple VB program to explore the drive)"

Thats correct you'll find that if you install GIMP it ignores GP and lets you browse the C: drive. I still hide it as it stops most of the kids messing, if the more inteligent kids work out how to then good for them it's all good education. Also sometimes you have to allow certain apps to write to an area within their install dir it makes it much more straight forward for students to find areas like this if they can browse the file system.

To coin a phrase "Security is built in layers".

[vikpaw]

We have lots of issues with the students trying to hack.
We do use group policy quite effectively, but it does end up just moving their attention to other areas, or simply to vandalism.
i'm all in favour of letting them have a go at some games, there are quite a few maths games websites that they like, and conveniently allowing the odd flash game website doesn't harm.
if they are adamant not to work, i'd rather they shot aliens than found all of our network security holes!
and of course, the smartest of the smart hackers, we employ, because it's simply safer to know where they are and what they are doing, than wait until they exploit the latest buffer overrun weakness.