I am aware that a user should be assigned to relevant user groups like 'Authenticated Users' and so on. However, we have some legacy vendor applications that require administrative rights. For selected desktops, we installed the Device Lock software to prevent user access to removable devices like floppy drive. The problem is that a user belonging to the administrative group can stop the service locking the removable device and even install the Device Lock Manager to deactivate the device locking.
So far, I think the possible solutions to this problem are:
- Provide a limited user desktop by using system policy (WinNT) and LGPO (Win2000).
- Only allow icons to run apps.
- Restrict START/RUN.
- Disable the Command prompt.
- Disable File/Windows Explorer.
- Limit the Control Panel with no access to 'services'.
Is there anything else I can do to prevent the users from deactivating the Device Lock features?
In general, Administrators on the box "own" the box, and can do, well -- anything. To that end, why not pop these users into the Power Users group instead? Many, many legacy applications will run properly for users contained with Power Users. Give that a shot -- before going through all the hoops you've laid out.