Single application mode

Introduction

To restrict access in Windows

How to restrict unauthorized access to certain files and folders in the UNICORN application was described in Access security. Still, users can access these files and folders through the Windows Explorer unless Windows is configured to prevent this.

  • This is the reason for using single application mode, which restricts access in Windows.

Definition

Single application mode means that UNICORN is the only application available when it is running. The user cannot open or switch to other programs.

Single application mode on computer level

Single application mode is normally set through the Options dialog box in the UNICORN Manager module, see The Options dialog box. The setting is then valid for the computer and will apply to everyone who starts UNICORN on the specific computer.

Single application mode on user level

Single application mode can also be applied to individual users instead of computers.

This section describes how to configure Windows to start in single application mode for individual users. This means that instructions will have to repeated for each user the mode should apply to.

The instructions in this section

You need to carry out several of the instructions in this section to configure single application mode on the user level. Which instructions to use depends on the operating system of the workstation.

Windows 2000 workstations

You must carry out the following instructions on a Windows 2000 workstation:

  • Install the System Policy Editor

  • Windows 2000: Folder administration

  • Edit the system policy

  • Windows 2000: Restrict access in Windows Explorer

  • Windows 2000: Exclude administrator from policy changes

Windows XP workstations

You must carry out the following instructions on a Windows XP workstation:

  • Install the System Policy Editor

  • Windows XP: Folder administration

  • Edit the system policy

Install the System Policy Editor

The table below describes how install the Windows System Policy Editor on a Windows workstation.

Step

Action

1

Insert the installation CD supplied with Windows 2000 Server containing the Policy Editor files.

2

  • Open Windows Explorer.

  • Create a folder in the root directory of the installation drive (directly under C:\ if C: is the installation drive). The name of the folder is not important.

  • Copy the files Poledit.exe and Poledit.chm from the CD to the folder you created.

3

Open the folder and double-click Poledit.exe.

Result: A message is probably displayed saying that files are missing. Write down the names of these files.

Note: The missing files are usually winnt.adm and common.adm.

4

Copy the missing files from the CD to the folder where Poledit.exe is located.

Result: Now the System Policy Editor should start when you double-click Poledit.exe.

Windows 2000: Folder administration

The table below describes some necessary folder and file administration on a Windows 2000 workstation.

Step

Action

1

Log on to the workstation as a user that will run UNICORN and whose access you want to restrict.

Note: This user must have Windows administrator rights.

2

  • Open Windows Explorer.

  • Create a folder called Programs in the UNICORN folder. The path will be C:\UNICORN\Programs, if C: is the directory where the UNICORN application is installed

3

Place shortcuts to the files listed below in the \UNICORN\Programs folder:

  • \UNICORN\Bin\UNICORN.exe

  • The manuals that will be used, located in \UNICORN\Manuals\ and \UNICORN\HtmlManual\.

  • Poledit.exe and Poledit.chm located in the folder that was created in Install the System Policy Editor above.

    Note: The Poledit.exe and Poledit.chm shortcuts should be removed when all the instructions in this section have been performed.

4

  • Place a shortcut to \UNICORN\Bin\UNICORN.exe in the folder \Documents and Settings\<user>\Start Menu\Programs\Startup.

    Note: <user> is the identity you used to log on in step 1.

  • Remove the contents in the folder \Documents and Settings\<user>\Recent.

  • Log off and log on as the same user as in step 1.

  • Delete the folder \Documents and Settings\<user>\My Documents.

    Note: <user> is the identity you used to log on in step 1.

  • Remove the shortcut to Windows Explorer located in the folder \Documents and Settings\<user>\Start Menu\Programs\Accessories.

  • Log off.

Windows XP: Folder administration

The table below describes some necessary folder and file administration on a Windows XP workstation.

Step

Action

1

Log on to the workstation as a user that will run UNICORN and whose access you want to restrict.

Note: This user must have Windows administrator rights.

2

  • Open Windows Explorer.

  • Create a folder called Programs in the UNICORN folder. The path will be C:\UNICORN\Programs, if C: is the directory where the UNICORN application is installed.

3

Place shortcuts to the files listed below in the \UNICORN\Programs folder:

  • \UNICORN\Bin\UNICORN.exe

  • The manuals that will be used, located in \UNICORN\Manuals\ and \UNICORN\HtmlManual\.

  • Poledit.exe and Poledit.chm located in the folder that was created in Install the System Policy Editor above.

    Note: The Poledit.exe and Poledit.chm shortcuts should be removed when all the instructions in this section have been performed.

4

  • Place a shortcut to \UNICORN\Bin\UNICORN.exe in the folder \Documents and Settings\<user>\Start Menu\Programs\Startup.

    Note: <user> is the identity you used to log on in step 1.

  • Right-click the Windows Start-button and select Properties.

  • Click the Start Menu tab, select the Start Menu radio button and click the Customize... button.

  • Click the Advanced tab in the Customize Start Menu dialog box.

  • In the Start menu items field, select the option Don’t display this item for the following items:

    Control Panel

    My Computer

    My Documents

    My Music

    My Pictures

  • In the same field, uncheck the following items:

    Run command

    Search

  • In the Recent documents field, uncheck the box List my most recently opened documents.

  • Log off and log on as the same user as in step 1.

5

  • Delete the folder \Documents and Settings\<user>\<user>’s Documents.

    Note: <user> is the identity you used to log on in step 1.

  • Remove the shortcuts to

    Windows Explorer

    Command Prompt

    Tour Windows XP

    usually located in the folder \Documents and Settings\<user>\Start Menu\Programs\Accessories.

  • Click OK and then OK again.

  • Click Start:Control Panel and double-click Network Connections.

  • Right-click Local Area Connection and select Properties.

  • Click the General tab and uncheck Show icon in notification area when connected.

  • Click OK and close the Network Connections window.

  • Log off.

Edit the system policy

The table below describes how to edit the system policy with the System Policy Editor:

Step

Action

1

  • Log on to the workstation as the user that will run UNICORN and whose access you want to restrict (the same user as in the instructions above).

Note: The user must have Windows administrator rights, otherwise the System Policy Editor will not be able to save the settings.

  • Double-click the shortcut \UNICORN\Programs\Poledit.

Result: The System Policy Editor is started.

2

  • Choose File:Open Registry.

  • Double-click the Local User icon.

3

Expand the Shell:Restrictions item by clicking the plus signs.

Select these options:

  • Remove Run command from Start menu

  • Remove folders from Settings on Start menu

  • Remove Taskbar from Settings on Start menu

  • Remove Find command from Start menu

  • Hide all items on desktop

Make sure all the other options are deselected.

4

Expand the Windows NT Shell:Custom folders item by clicking the plus signs.

Select these options:

  • Custom Programs folder

  • Hide Start menu subfolders

  • Custom Startup folder

Make sure all the other options are deselected.

5

Expand the Restrictions item by clicking the plus sign.

Select these options:

  • Remove View->Options menu from Explorer

  • Remove Tools->GoTo menu from Explorer

  • Remove File menu from Explorer

  • Remove common programs groups from Start menu

  • Disable context menus for the taskbar

  • Disable Explorer's default context menu

Make sure all the other options are deselected.

6

Expand the Windows NT System item by clicking the plus sign.

Select these options:

  • Parse Autoexec.bat

  • Disable Task Manager

Make sure all the other options are deselected.

7

  • Click OK.

  • Choose File:Save.

  • Close the System Policy Editor

8

Log off.

Windows 2000: Restrict access in Windows Explorer

When you have edited the system policy as described above, the user can still access Windows Explorer in Windows 2000 workstations. This can be achieved by clicking the Windows Start button and right-clicking on Programs.

  • Therefore you must restrict access to the drives in Windows Explorer.

Note: You do not have to perform this in Windows XP.

The table below describes how to do this.

Step

Action

1

Log on to the computer as an administrator.

Note: This can be any user with Windows administrator rights.

2

Open your local security policy:

  • Click Start:Run and then type gpedit.msc.

Result: The Group Policy window in displayed.

3

  • In the tree view, select the folder User Configuration > Administrative Templates > Windows Components > Windows Explorer.

  • In the right window pane, double-click the setting Prevent access to drives in My Computer.

  • Click the Policy tab.

  • Click the Enable radio button.

  • Click the Apply button and then OK.

4

Close the Group Policy window and log off from the computer.

5

  • Log on to the computer as an administrator

  • Verify that access to all the drives is restricted.

Note: The procedure above for group policy changes by default apply to all users, including administrators. See Windows 2000: Exclude administrator from policy changes on how to exclude real administrators from being affected by the group policy changes.

6

  • Log off from the computer

  • Log on to the computer as a user whose policies you want to restrict.

  • Verify that the restrictions are in place, for example that the user is unable to access to any drives.

Windows 2000: Exclude administrator from policy changes

When you have restricted the access in Windows Explorer as described above, these restrictions will apply even to the real administrator of the computer. Therefore you must exclude the real administrator from those policy changes.

Note: You do not have to perform this in Windows XP.

The table below describes how to do this.

Step

Action

1

Log on to the computer as a real administrator who you want to exclude from being affected by the policy changes performed above.

2

Copy the file C:\WINNT\System32\GroupPolicy\<user>\Registry.pol to a backup location. Since access restrictions are in place, you can do it like this:

  • Open the Windows Command Prompt.

  • In the Command Prompt window, type copy c:\winnt\system32\grouppolicy\user\registry.pol a: to copy the file to a floppy disk.

Note: <user> is the identity you used to log on in step 1.

3

Open the local security policy:

  • Click Start:Run and then type gpedit.msc.

Result: The Group Policy window in displayed.

4

  • In the tree view, select the folder User Configuration > Administrative Templates > Windows Components > Windows Explorer.

  • In the right window pane, double-click the setting Prevent access to drives in My Computer.

  • Click the Policy tab.

  • Click the Disable radio button.

  • Click the Apply button and then OK.

5

  • Close the Group Policy window

  • Copy the backup Registry.pol file, created in step 2, back to the folder C:\WINNT\System32\GroupPolicy\<user>\.

    Since access restrictions are in place, you can do it like this:

    Open the Windows Command Prompt window.

    Type copy a:registry.pol c:winnt\system32\grouppolicy\user to copy the file from a floppy disk.

  • When prompted to replace the existing file, click Yes.

6

  • Log off from the computer

  • Log on to the computer again as the same administrator.

  • Verify that the restrictions no longer apply to the administrator.

7

  • Log off from the computer

  • Log on to the computer as another user whose access should be restricted.

  • Verify that the restrictions apply to the user.

How to restore the local policies

The table below describes how to undo the local policy changes previously described.

Step

Action

1

Log on to the computer as a real administrator.

2

  • Delete the file Registry.pol from the folder

    C:\WINNT\System32\GroupPolicy\<user> in Windows 2000

    or

    C:\WINDOWS\System32\GroupPolicy\<user> in Windows XP

    Note: <user> is the identity you used to log on in step 1.

  • Log off from or restart the computer.

    Result: Another default Registry.pol file is created by the Windows File Protection system.

  • Log on to the computer again with the same identity.

3

Open your local security policy:

  • Click Start:Run and then type gpedit.msc.

    Result: The Group Policy window in displayed.

4

  • In the tree view, select the folder User Configuration > Administrative Templates > Windows Components > Windows Explorer.

  • In the right window pane, double-click the setting Prevent access to drives in My Computer.

  • Click the Policy tab.

  • Click the Not configured radio button.

  • Click the Apply button and then OK.

5

  • Close the Group Policy window

  • Log off from the computer.

6

  • Log on to the computer as the same administrator.

  • Log off from the computer

7

Repeat steps 1 to 5 for each of the users of the local computer, one at a time, in order to restore the local policies on their accounts as well.

Note: Make sure to log on as a user in step 1 and 2.

2005-06-15