Advanced Windows Security
If you are resposible for setting up student machines for labs, you should maintain some security on these machines. The first line of defense is always a vigilant teacher. Vigilance prevents mouse balls from being stolen and floppy drives from being stuffed with paper. However despite all vigilance, students can still deliberately or accidentally delete or write over important files. If you have either Windows NT, 2000, or XP on your machines, you can use many of the restrictions built into these system to lock files and folders against accidental changes. Unfortunately many schools will still be using Windows 95, 98, ME for years to come, and these systems are not so easily secured.
The first line of defense can by implemented by setting up user passwords, and user policies. There are many articles on the web about doing this. Some sites are http://www.elkantler.net/security/security.htm http://www.regedit.com/ http://www.zisman.ca/poledit/ http://www.zedex.net/poledit.htm . If your really want a well written book with information in depth I reccommend John Woram's book from http://www.woram.com/ . Basically you can restrict users from doing many things by making the desktop blank, and then restricting the user to executing only selected program on the start menu. You can also prevent them from making any changes to the desktop or any other system settings. I have created a template file which combines the standard MS template with extra options and an IE template which you may download TEMPLATE.ZIP.
Unfortunately even though you may have locked up most programs, the remaining ones can still pose some security hazards. Any program that can save data may be used to overwrite, or delete important files. By right clicking on items on a save or open menu users have access to doing things that you do not wish. This problem can be alleviated by implementing a sandbox module which restricts the type of access that users can have. The Aladdin eSafe Desktop is one that I have experimented with, and it appears to do the job very well and seems to be very bug free. ESafe is actually designed for protections agains internet threats, but it can also be used to lock up resources on a user by user basis. Another one is Security Department available at http://www.mybestsoft.com/ . I have not worked with it much, but it looks like it could also be used to restrict users adequately. Also at mybestsoft you can get programs that allow you to restrict users in much the same fashion that the policy editor does. One such program allows you to restrict Internet Explorer so students can not do downloads, access files on hard drives, or even change settings at all. Many of these other features can be implemented by editing the registry keys. The registry editing may be too difficult so the commercially available product may be useful. There are other security products available, but I have not looked at them in any depth.
A combination of setting up registry policies and using ESafe may give you pretty good security. Many of the registry settings can be made by using Poledit. This is a separate product on the MS Windows installation disk. Using it you can have different settings for each user. Unfortunately under Win 9x it is possible to login without a password by clicking on the Cancel tab. This logs you into the default account. You must make settings there separately from the other accounts. Before you do this make sure you have an administrators account. Then logon to the the default account. Setup maximum security with access to no programs other than simple things like the calculator, and then using poledit make the security settings you need. You can also do this by making a registry editing file. A sample is available as RESTRICT . Copy the text from the restrict page and paste it into a text file. Rename the text file restrict.reg. You can then click on it while in the default account to restrict users to minimal capability. The restrictions in this file restrict users from making any changes to settings. In addition it restricts many options in Internet Explorer. The names are generally good clues as to what the setting does, or you can look at Registry Keys for a simple explanation. Much more detail is available at the above mentioned sites.
You may wish to use the MS family logon to restrict users to specific accounts. This is a standard feature in Win 98,ME. You can install it as a network service. It is not generally available in Win 95, but it comes with Internet Explorer 4. Later versions of IE do not include it. You will also want to install the active desktop features, but run the user desktop in classic mode. This gives you more capability for turning off unwanted controls.