The Importance Of End-User Policies And Procedures Part IV

It has become common practice for information technology departments to define the standard user configuration for end user desktop machines. One such example of this involved a Fortune 500 company where the network administrators and the help desk analysts joined forces to define the standard user configuration for end user desktop machines.

In the Windows 2000 environment used by that company, the standard user image is locked down by Group Policy Object (GPO) settings, or collections of settings that define the system and how it will behave for a specific group of users. For select power users and IT staff, the policies were less restrictive. However, for most end users, the following rules were in place:

• No A or B drives. New end user machines are deployed without A or B drives. Machines already in service had those drives deactivated by policy. The autorun feature is disabled for machines that have CD-ROM drives.
• No Run option is available on the Start menu.
• The number of Control Panel applets has been pared down to the bare minimum. Conspicuously absent is Add/Remove Programs.
• The following file types are prohibited from running at any time: *.msi (Microsoft Install programs), *setup*.* and install*.* (no setup or installation programs of any kind will run), AOL*.* (because the company doesn’t want AOL’s Instant Messenger running on its network), and quake*.* (because the company doesn’t want users chewing up bandwidth playing Quake).

With such policies in place, even if users open the box and install a new video card or their own modem, Windows 2000 won’t let users see the new device. The policy protects the system at the level of the Hardware Abstraction Layer, affectionately known as HAL.