Recommendations for setting up a shared PC

NoMax2013-12-04 18:57:07

Windows

NoMax, 2013-12-04 18:57:07

Hello,
the task has been set, there is a need to set up public computers for the library's reading room. It would be possible to take and set everything up as a regular office client machine, but I want to do everything according to Feng Shui.
It is assumed that computers will be shared - and this means a bunch of downloaded, made documents / files and other things, gradually turning computers into a file dump, and also, possibly. a lot of unnecessary extra software - games, agents and other things. In general, it will not turn out very nice.
In theory, I want to do this, Win7, 2 accounts on the computer - an administrator account and a student account without a password and with limited rights, a classic login option with a login / pass form, so that the second admin icon is not so curious to students welcome window.
In theory, it would be possible to put something like a shadow user or a shadow defender - programs that brought the computer back to its original state on each reboot, but I want the antivirus, browser and flash player to be updated and these changes to remain.
Again, in theory, it would be possible to disable any automatic updating of the browser, antivirus, but this is not entirely Feng Shui - all this should be updated and up to date. It's clear that with the default defender, if you forget to turn off automatic updates everywhere - every time the download will be the same and gradually more and more.
A limited account so that they cannot install or run something unnatural on the computer. And stop other illegal actions on the PC.
since computers are public, but it is not necessary to store in the browser information about previously visited sites, cookies, forgotten to press exit in mail programs - you can set it in the browser (in ff, for example, there is exactly this) so that when you close the browser log data is erased. It will be necessary to look for some other plugin for ff or software, which will still log just in case and add the history of visited pages somewhere separately in the system, so that in case you can check the student "for lice" - is he playing or really busy deed.
Of course, after installing and configuring everything, it is planned to make an image of the partition with the system using Acronis, so that in which case you can restore the image and not bathe again with installing and configuring the OS, programs and other things.
In general, in my vision it is somehow like this. Previously, I did not set up computers for such requirements, maybe I missed something, something can be done differently altogether - I will be glad to hear your recommendations, comrades.
Maybe there are more tips on user policy - something else to disable / prohibit a user with a limited account?
Thanks in advance for your advice, tips and advice.
ps: About logging the history of visited pages - I thought, probably, some kind of parental control program is needed).

Answer the question

In order to leave comments, you need to log in

8 answer(s)

Sergey, 2013-12-04
@edinorog

Terminal server + entrance to the system with an electronic student card. =) Whatever applications you want, as well as the complete absence of garbage (if only on the floor).

Nikolai Kokoulin, 2013-12-04
@Kokoulin

1. Implementation in one large institute in Moscow:
Two accounts admin + student user student once a day is brought to its original state. there are many pluses minus only one software is not updated, but this is not a problem at all, since nothing specific is happening on this computer. once a month, the image to which the system rolls back is updated
2. Implementation in a small institute in Moscow:
each student has his own account on the server, and he is free to do whatever he pleases with it, registration of new students through the site

Alexander Kamolov, 2013-12-04
@dintsec

Everything is easier. Once you have 7 turn on parental control on wheelbarrows, bind the control to the "student" accounts. Select a parental control provider in microsoft live essentials. Download it from the Microsoft website. When installing, uncheck all checkboxes except for parental control. And there, from the admin account, block at least the launch of programs, at least certain sites, at least the allowed time spent at the computer. Yes, you will need a mailbox on outlook.com, which is another charm, you can steer security even from this mailbox. And for downloading, either a folder on each computer, or, even more convenient, on a separate computer, and in the local policy to prohibit access to disks at all.

popov, 2013-12-04
@popov

Cancel autorun for information security purposes

nfire, 2013-12-04
@nfire

Maybe there are more tips on user policy - something else to disable / prohibit a user with a limited account?
In this case, there should be a policy not of black lists (this and that is prohibited), but of white lists - only this and that are allowed.
I use Kerio Control - records who, where and how.

nfire, 2013-12-04
@nfire

Oh yes, the easiest way is to put some kind of ubuntu. Or even boot from a LiveCD.

rinx, 2013-12-04
@rinx

On the sysadmyns.su forum there is a "Guide to configuring Windows for the most effective protection against viruses" written in blood.
Here is the link . I hope you find it useful.

Andrew, 2013-12-04
@Keyfors

I think it's not a bad option, it's a virtual terminal server on hyper-v (or other virtualization system). Create a snapshot of the system and roll it back every evening. If you need to update the software - rolled back, updated, created a snapshot.