Best way to parent-proof Win7?

Soldato
Joined
6 Jan 2006
Posts
3,404
Location
Newcastle upon Tyne
Going to buy the folks a new computer as their XP one has had it but just wondering if there is any steps I can take to try and lock it down so they cant break it, lose files, somehow install all sorts of spyware and adware...you get the idea!!

Here are the steps I have considered so far:

Set them up as a non-admin account

Antivirus wise I was thinking of going with Microsoft Security Essentials as it seems to be pretty good from what I can tell.

Install tea timer

Create restore point once all programs are installed!

Anything else you can think of?

Thanks
 
Started writing a guide on this actually after doing both sets of parents recently... stil WIP but below is probably a good start... ;)

Foreword
My outline requirements were:
• Prevent modification to Windows which could allow potentially unsafe code to execute whilst still allowing ‘core’ programmes to run as normal (i.e. iTunes, internet, MS Office etc.)
• Automate ‘cleanup’ operations which are never performed (such as cleaning temp files, defrag HDD etc.) behind the scenes
• Improve windows experience for ‘older’ family members so that it was more like a tablet
• Do all of the above with free / included in OS tools


OS Requirements
Windows 7 (may work for others) – Professional or higher

Software Used
NB: I’m not going to cover slipstreaming, unattended setups etc. so have the installers pre-downloaded on a USB or something – makes things a lot quicker! If you’re interested in these topics, have a look here as a starting point.

• WinRar (or equivalent)
• CCleaner + CCenhancer (optional)
• SmartDefrag
• Chrome
• iTunes/Spotify
• Flash
• Java
• Rainmeter with Omnino
• Windows security essentials
• MS Office (if you have it) or OpenOffice / LibreOffice

(1) Install Windows
Run through standard Windows installation and setup. This will create a new (admin by default) user account.
Personally, I prefer to backup to an external HDD any key pictures / music etc. before starting this process. This allows me to just wipe the existing HDD and minimises any issues from previous OS creeping into the new one.

Cleanse existing drive (optional)
When presented with the “where do you want to install Windows” screen, click on “Advanced” and then delete all of the existing partitions.

You should now have the entire drive as “unallocated”

Click “New” and create a partition with default options. This will generate a “System Reserved” and “Primary” partition. Install Windows to the Primary.


(2) Initial admin actions
We now have a vanilla Windows install with a single, admin by default, user account.

Create shortcuts
As we are going to be using these regularly, place 4 shortcuts on the desktop for:
• Group Policy Management
o C:\Windows\System32\gpedit.msc
• System Configuration
o C:\Windows\System32\msconfig.exe
• Local Security Policy
o C:\Windows\System32\secpol.msc
• Users and Accounts
o C:\Windows\System32\lusrmgr.msc

Install default programmes
Let’s install the default programmes (as listed above).
• Deselect any option such as “create shortcut” or “check for updates” as we will do this ourselves.
• Select any option such as “install for all users”

Specific selections made
CCleaner (optional)
After install, run CCleaner and select as an option “Windows Error Reporting”. I do this personally as the dumps tend to be huge.
SmartDefrag
When SmartDefrag gives you options at the end to install additional rubbish, select “Skip” for both screens.
Run SmartDefrag after install and ensure “Load automatically at Windows startup” is selected in the settings.

Setup admin scripts
We will now create some batch scripts to automate a lot of the work behind the scenes so create a folder called “AdminScripts” in the administrators Documents.

CCleaner
This script will run CCleaner in the background based on the default settings we determined earlier.
1. In the AdminScripts folder create a new .txt document called “CCleaner-auto.txt”
2. Edit this and add a line:
@"C:\Program Files\CCleaner\CCleaner.exe" /AUTO
3. Save the file and rename the extension to “.bat” rather than “.txt”

Set scripts to execute
Loadup “Group Policy Management” and navigate to User Config >> Windows >> Scripts

CCleaner
Double-click on “Logoff”, click “add” in the dialog that appears, click “browse” in the following dialog and find the CCleaner script we created earlier.

Leave the script params blank, click “ok”, click “ok” again and exit back to the Group Policy Management screen.
We have now setup CCleaner to run and clean the system whenever a user logs off (this also includes system shutting down).

Disable annoying updates
To stop Java and Google popping up on the users taskbar telling them to update, open up “System Configuration” and select the “Startup” tab.
Find the items for “Google Update” and “Java Platform Updater” and disable them by unchecking the tick-box.


Create Users
Let’s create the users for the PC now.
1. Open up “Users and Accounts” and select “Users”
2. Right-click and select “New User”
3. Insert the details of the user being created, I have selected the following options for ease of use: “User cannot change password” and “Password never expires”

Now we need to (briefly) grant the user administrator rights whilst we perform the initial setup.
4. Switch to the “Member Of” tab and click “add”
5. In the free text box that appears, type in “Administrators” (case sensitive) and click “Check Names”
6. This should change the text to represent COMPUTERNAME\Administrators
7. Click “ok” to create the user
8. Restart the PC


(3) User customisation
Having restarted we should now have the option of logging in as the new user

Login as the user and we can customise the experience.
Hide non-basic view options
1. Open up a windows explorer window and hit “Alt” to bring up the menu
2. Select Tools >> Folder Options
3. Switch to the “view” tab in the dialog that appears and ensure the following:
a. “Don’t show hidden files, folders or drives” = Selected
b. “Hide empty drives in the Computer folder” = Selected
c. “Hide extensions for known file types” = Selected
d. “Hide protected operating system files” = Selected

Install Rainmeter etc. and customise for user
WIP . . .

(4) Final admin actions
WIP, but essentially:

- install Teamviewer Host for remote assistance as needed . . . .

- customise security policy to only allow programmes installed now to operate and go through firewall (using AppLocker etc.)

- remove admin rights from new user

- hide the default administrator account
use Grp Policy >> Computer >> Windows >> Security >> Local >> Security)
see "interactive logon" flags for "Last User Name" and "Ctrl + Alt + Del"
 
Install the stuff - including MSE.
Password the admin account and give them a standard user account
Take a disk image

That should be enough really. Consider installing Chrome for automatic flash updates. That's about as far as I'd go - basically keep things simple.
 
Back
Top Bottom