Create Secure User Profiles with Windows 95's Policy Editor

Publicly accessible computers, such as those in schools, require a significant degree of security to prevent abuse. The Windows 95 CD-ROM provides the tool you need to implement restrictive policies on such machines in the form of the Policy Editor (POLEDIT) application. Unfortunately, the Windows 95 Resource Kit doesn't tell you how to use POLEDIT for standalone computers, so I developed a method of my own:

Do note that each attempt by a user to log on with a new name will create a folder below C:\WINDOWS\PROFILES containing a copy of USER.DAT. You'll want to periodically delete all such folders except User, Administrator, and dummy.

If the MAXIMUM.POL and STANDARD.POL files mentioned here are not on your hard disk, look in the folder \ADMIN\RESKIT\SAMPLES\POLICIES on the Windows 95 CD-ROM. For help on the meaning of various policy restrictions, launch WIN95RK.HLP in the \Admin\Reskit\Helpfile folder

 

More on the Windows 95 System Policy Editor

PC MAGAZINE: The July 1996 User-to-User column included a long discussion on using the Windows 95 System Policy Editor (Poledit.exe) to lock out unauthorized users and to control the access of authorized users. The Windows 95 CD-ROM contains Poledit.exe itself, as well as the example files Standard.pol and Maximum.pol; the technique described in the discussion relies on these example files. If you loaded Windows 95 from disks rather than from a CD-ROM, you can download PolEdit from www.microsoft.com or from the CompuServe MSWIN Forum. A number of readers, however, have pointed out that if you download the online version of PolEdit, you don't get the example policy files Maximum.pol and Standard.pol. Here's how you can create these files for yourself.

Start the System Policy Editor and choose New File from the File menu; icons will appear representing the Default User and Default Computer. Double-click on the Default User icon to edit the properties for Default User, then press the Shift and asterisk keys together to completely open the policy tree. Note that this keystroke works only with the asterisk key located on the numeric keypad. If your system doesn't have a separate asterisk key, you'll have to open every branch of the policy tree manually. Simply go down the list clicking on every boxed plus-sign until all branches are open.

Initially all of the policy check boxes will be grayed, and most of them can stay that way. You need to put a check in the specific boxes listed below and, in some cases, supply additional information in the lower panel of the Properties dialog.

Click OK to close the Properties dialog, then double-click on the Default Computer icon. Again, expand the policy tree completely either by pressing the Shift and asterisk keys together or by clicking on every boxed plus-sign icon. As before, all of the check boxes will be grayed to start with; you need to put a check by the following items:

Save the result as Standard.pol. Now choose Save As from the File menu and save it again as Maximum.pol. Maximum.pol is a more restrictive policy, so you must check a number of additional boxes. In the Default Computer properties, check:

In the Default User properties, check:

Save Maximum.pol. Now you have the files referenced in the earlier article, and you can build your own security system using System Policy Editor.

--Neil J. Rubenking