SetUp Limited Windows User Profile: Block, Lock & Restict Apps, Folder and Files

These procedures can be used to create a locked down enviornment, e.g:  Child Computer, Limited Admin, Adult Content Filter Protections and File Security

download and install:

1. Filtering Apps: K9 and Stop Filter

2. File Lock Utility

this is one of the only tools I found that locks folders, files and apps. It is simple, intuitive and stable. I have tried several others but none are as good as File Lock

3. Service Lock Utility:

Allows setting security DACL’s on Windows Services, prevents user from stopping services

4. MIsc Apps:

Keep Running Apps

ReStart Script

Configure:

1. Run Service Lock Utility: restrict User from stopping services:

2. Run File Lock Utility lock files

Lock
             pornFilter
             K9 files
             gpedit.msc

Set PWD

3. Local Policy Editor: gpedit.msc

Apps:
App Locker: Lock/Software Protections
                 "C:\Work\Tools\AntiVirus\KidFilter\Free\LockService\ServiceSecurityEditor.exe"
Lock System
                 Microsoft.UserAccounts
                 regedit

RESTRICT access to regedit!

4. Misc GPO

Disable Task Manager

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr 

Hide Policy Editor:

User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy Object Editor

Disable Any Control Panel Applet

Disable Windows Services Applet

HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\{58221C66-EA27-11CF-ADCF-00AA00A80033} and locate Restrict_Run registry key

5. If User is not Administrator:

Configuring Windows 7 for a Limited User Account
else 

6. If User is Admin but want to limit some apps:

a) Create 2nd Admin User Admin2

b) Set ServiceLock user “Manage Service” DACL  to this user.  Set everyone else Deny “Stop Service”

7.  Assign revoke Terminate_Process DACL  Refs:
         https://stackoverflow.com/questions/5380018/deny-access-to-kiosk-program-process
         https://stackoverflow.com/questions/3121746/prevent-c-sharp-app-from-process-kill
         http://csharptest.net/1043/how-to-prevent-users-from-killing-your-service-process/index.html
         http://ethertubes.com/make-a-program-run-as-a-windows-service-on-boot/
         https://security.stackexchange.com/questions/30985/create-a-unterminable-process-in-windows
         https://msdn.microsoft.com/en-us/library/windows/desktop/ms684880(v=vs.85).aspx
         https://www.experts-exchange.com/questions/27858649/Protect-An-Application-From-Being-Killed-With-Task-Manager-Delphi.html
        
     Options to implement Process to Keep Filters running:
    
         1) Un-Killable Process: Set ACE to AccessDenied for ProcessAccessRights PROCESS_TERMINATE,
             http://csharptest.net/1043/how-to-prevent-users-from-killing-your-service-process/index.html
             K9filter.exe to
             hlth.ex
             movie.exe
            
         2) Create Boot process:
             a) Service that is a Service Driver
             b) kernel hacking, as mdm said, or diving into rootkit territory. Which I would suggest you avoid.
             c) Winlogon notification package.
            
         2) Create watcher proess:
             a) create app to run at boot
             b) Set to un-killable
             c) Process will watch K9filter.exe , hlth.exe ect
             d) for each process:
                 if process is dead: restart
                 else do nothing