Hi,

In my office 6 different Computers SCADA software installed on 2000 Pro and XP, and i want to disable all its USB Port for Mass Storage Devices, Regedit (Registry Editor), Command Prompt, Floppy Drive, CD/DVD-ROMs and other critical media which are common for entering Virus on computer. I have an administrator password, and i want to make a normal guest for normal operations that should not have any access to these items, and when we need to use one of these item, we have to login from administrator password.

As we had faced a lot of trouble from a virus came from a USB Memory stick, which disable installation of any antivirus/malware remover software........ and these systems are critical and does't have any access to upgrade it's antivirus.

Can anyone help me?

thanks,
masterleous

A simple tweak can be done with TweakUI (http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx) to hide all drive letters except for the system/boot or other specified drive letter. It's not majorly secure but very easy to setup. To quickly get access, to say the G: drive, you would then just enter G: into the address bar - so you can easily see that this is not secure against the technically knowledgeable and would not be protection against bootsector viruses - don't know about flash memory drive viruses though but I think they usually work from an autorun feature which I think would be disabled if no drive letter accessible.

Maybe http://www.exefind.com/1st-disk-drive-protector-P27747.html or similar:

http://www.softstack.com/

One way to combat those type of viruses is to use something like ClamWin Portable (http://portableapps.com/apps/utilities/clamwin_portable), especially if you change the name of the exe...

u might be able to disable USB in the Bios...
but then you would need to access the BIOS to restore them...

You might try MS SteadyState, it is free for genuine Windows XP users, but is not supported by Win 2000.
http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx
It is a newer version of the MS Shared Computer Toolkit.

Windows SteadyState User Restrictions

Take control of your shared computer with SteadyState restrictions
Protect your shared computer by customizing what users can do on it. Windows SteadyState puts you in control of which programs, features, disk drives, and websites are available to each user. For the inexperienced user, your computer will be more consistent and less complex. For an untrusted user, you can initiate enhanced security features on your computer.

Start Menu restrictions let you remove items from the Start Menu. This means you can disable user access to items such as:

Shut Down

Control Panel

Command Prompt

Windows Explorer

Drive restrictions determine which drives are visible to the user in My Computer. You can select the option to hide all drives, show all drives, or select specific drives that you do not want exposed to the user. These include printers or removable storage devices.

Program restrictions let you block a user from running a particular program, such as a system tool, simply by adding that program to the blocked list.

Feature restrictions can stop users from accessing program attributes that might damage or clutter the computer. For example, you can prevent users from adding to the Clip Organizer, creating Microsoft Office macros, using Visual Basic, or saving Internet Explorer favorites.

Internet restrictions let you set the Internet Explorer home page, and you can block access to any Internet site not specifically listed as allowed.

This looks like just what you are looking for.

http://www.microsoft.com/downloads/details.aspx?FamilyId=D077A52D-93E9-4B02-BD95-9D770CCDB431&displaylang=en

Good looking stuff rond36. I must give it a whirl.

There is also a version 2.5 beta that is supported by Win Vista
http://www.microsoft.com/downloads/details.aspx?familyid=4de91d3a-69f4-4d7b-94b1-c69b8be029f4&displaylang=en

Faronics has a simular product for Win 2000 called Deep Freeze
http://www.faronics.com/html/deepfreeze.asp
but it is not free past the 30 day trial period

You can use group policy to do this too. See here (http://support.microsoft.com/kb/555324).