I'm trying to setup some laptops will very limited access.  All the user needs to be able to do is log in, join wifi, launch a VPN client and use remote desktop to access a remote machine.  Nothing else is to be done on these computers.  We will also have a locked down IE available so they can verify Internet connectivity and join wifi networks that require registration via a browser.

I have set up a group policy to restrict access to the C drive.  It is successfully preventing the users from saving to the desktop and downloads folder, buy they can still save to the local Documents folder as if there was no restriction.

What else needs to be done to block saving files everywhere including the Documents folder?

I would prefer the the Documents folder and Windows Explorer icon shown on the task bar are not even displayed.  I didn't see an option to hide those in the policy settings.

I have hidden most items from the user's desktop profile, but Explorer still shows and displays their documents folder even thought the network and local disk drive are not displayed.

You cannot disable write access to the user profile - that will prevent the user from logging on. And since you cannot do so, the user will be able to save some files to some folders. Better review your requirement... It sounds not reasonable.

Education is always the better solution than restriction.

Hint: You can establish a GPO that prevents IE from downloading... http://gpsearch.azurewebsites.net/#744

This has to be configured for each zone separately. But be aware that this only affects IE, not Firefox/Chrome. To prevent these from running, you need to enable AppLocker or Software Restriction Policies and use whitelisting (disallow all but required applications).

Hi , 

Firstly, what is the reason for locking down all these features ? 

Secondly You can achieve this by using Mandatory user profiles - With mandatory user profiles, a user can modify his or her desktop, but the changes are not saved when the user logs off. The next time the user logs on, the mandatory user profile created by the administrator is downloaded. So in this case - the users are virtually not saving anything. 

Regards

MassonTech

The reason is because we have a policy on these laptops that users are not to save any files or documents on them.  These loaner laptops are not assigned to them as their personal laptops and are to be somewhat like  portable VPN/RDP "kiosks"   They have desktop PCs that at their desks they are allowed to save files on.  These laptops are shared systems that they only borrow for the purpose of occasionally accessing their desktops when they need to temporarily work from out of the office.  People who need to frequently work from out of the office will be assigned their own laptops that they can save files on and are encrypted.

The users who borrow these shared laptops will be educated to not save files locally, but some will just forget, ignore this instruction for convenience or even simply get confused as to what is is the local desktop and what is their remote desktop when using RDP.

I don't not need them to not have write access in their profile at all to the point that they cannot log in or log off, but there is no reason for them to even "see" a document folder in their profile on the shared laptop.  I would like to hide the Documents folder icon from their profile UI (just like most everything else has been hidden except for the specific items they need to use) and prevent them writing to Documents just as I have set a GPO to prevent saving files to the desktop.  

It will be less confusing to them to not even have the option to save documents in places where they are not supposed to save files and then perhaps forget to delete the files that may contain confidential data. This would just add more complexity and an encryption requirement  if there is any possibility to save documents onto the hard disks. Simply telling users "Do not save files on the laptop.  Only save inside the remote PC" is not adequate.

A mandatory user profile that makes it appear as if they have saved documents on the local hard drive, but then erases the files after they log off will confuse them and cause them to lose files they were working on.

There must be a way to do not display the Documents folder.  Maybe redirecting the Documents folder and disabling offline caching is a possibility, but I would rather that they simply do not see a Documents folder at all on these laptops and work exclusively inside the remote desktop Window after connecting to VPN.

I am sure I have seen Windows 7 kiosks that hide everything from a user except one full screen app.  We are not going that far, but we need the users to just have access to 3 apps (remote desktop, VPN software and IE) plus the ability to join wireless networks, log out and shut down the laptop.

• Edited by MyGposts Friday, August 30, 2013 11:05 AM

Hi,

You could use Icacls.exe to modify users' permission and logon scripts to restrict user to save anything on Desktop.

There is a similar thread, please also go through it to help troubleshoot this issue:

Windows 7 GPO Preventing users to save files in the desktop

http://social.technet.microsoft.com/Forums/en-US/1f321083-3f0c-4462-9a6c-119491227ca0/windows-7-gpo-preventing-users-to-save-files-in-the-desktop

In additional, you can use the folder redirection to redirect My Document to the home directory .

For more about folder redirection information, you could refer to the article below:

Folder Redirection Overview

http://technet.microsoft.com/en-us/library/cc732275.aspx

Regards,

In additional, you can use the folder redirection to hide the Document in Windows 7 from the users.

Please enlighten me - how can I leverage folder redirection to hide the Documents folder?

how to block user from saving certain files like Avi,mP3 , ...  to their computers by GPO ?

preventing the users from saving media files to the desktop and downloads folder and drivers like C,D ,..

it is possible?