How to prevent users from browsing folder contents in WINDOWS & other folders?
I have created a Windows 7 x64 image for shared internet (IE8) PCs in public facilities. I have locked down the OS using local policy to prevent tampering. However, if a user opens a document (.pdf opens in Reader, for example), they have the option to "save as" in Acrobat Reader, which opens a dialog box exposing the file system. I have found and enabled the following IE restrictions under HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions: NoBrowserSaveAs NoFileNew NoFileOpen NoFindFiles NoSelectDownloadDir NoPrinting These work great for IE8, but have no effect on apps like Acrobat Reader. What is the best way for me to remove access to the file system so that users cannot browse the WINDOWS or SYSTEM32 (or other) folders? I have tried limiting rights under folder properties for USERS, but when I try to take away "List Folder" or "Traverse Folder" rights from USERS, Windows throws a series of error saying, "access denied" for every file and folder in the WINDOWS folder (even if I select "this folder only"). How can I prevent users from viewing the folder contents? Thanks, Jan
April 27th, 2011 9:03am

Janet, pretty sure this is in the wrong forum section. Wait a bit and an admin will move it for you or copy your post text and mark this one solved and create a new entry in an operating system managment forum.Anything worth doing is worth doing right.
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2011 9:08am

I would have posted this in a Windows forum, but I am looking for a solution that I can apply in a task sequence rather than a manual walkthrough. Thanks, Jan
April 27th, 2011 9:44am

Well, I would concentrate on finding the fix before figuring out how to deploy it. This is the "how to deploy it" section. Not to be rude, but you probably aren't going to get much mileage out of posting here for something like this. I don't ask my car mechanic how to make wine. Just not his thing. Your call though...Anything worth doing is worth doing right.
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2011 9:47am

Is this a kiosk type installation? Are the users local admins?Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys
April 27th, 2011 10:19pm

many user-context processes need access to find/read/execute files in "system" folders. deny that and you'll get busted stuff in the wierdest places :( if you deny folders, you'll need to allow a heap of files. a lot of work. e.g. notepad.exe resides in c:\windows have you seen this item (faint glimmer of hope):http://windowsteamblog.com/windows/b/springboard/archive/2010/09/27/steady-state-for-windows-7.aspxDon
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2011 4:54am

many user-context processes need access to find/read/execute files in "system" folders. deny that and you'll get busted stuff in the wierdest places :( if you deny folders, you'll need to allow a heap of files. a lot of work. e.g. notepad.exe resides in c:\windows have you seen this item (faint glimmer of hope):http://windowsteamblog.com/windows/b/springboard/archive/2010/09/27/steady-state-for-windows-7.aspxDon
April 28th, 2011 11:51am

many user-context processes need access to find/read/execute files in "system" folders. deny that and you'll get busted stuff in the wierdest places :( if you deny folders, you'll need to allow a heap of files. a lot of work. e.g. notepad.exe resides in c:\windows have you seen this item (faint glimmer of hope):http://windowsteamblog.com/windows/b/springboard/archive/2010/09/27/steady-state-for-windows-7.aspxDon
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2011 11:51am

Thanks Jason and Tesgroup for your replies. Jason, yes, this is essentially a kiosk-type computer. The users are not local admins but they do have elevated rights on certain folders and I'd like to prevent them from being able to browse the file system in any capacity. Testgroup, I've been doing some testing with limiting specific rights in system folders and it's definitely not going to work for me. I hadn't heard of steady-state. I appreciate the link, I'll look into it further but it looks like they aren't going to make this tool for Win7 unfortunately. The whitepapers may be helpful though... Regards, Jan
April 28th, 2011 6:54pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics