Allright, for the sake of the History of the project, the basic overview was that I was playing around (cough cough working diligently cough cough)with the computers in the lab and figured out that if you just type in something like "C:" it will bring up (regular) explorer through (internet) explorer, giving users access to the hard drive, and being able to run whatever they want that was not specifically disabled in the FGC "Do Not Run" Box.

Needless to say, this is something of a big security problem, because if the user knows what they are doing (before we go on it might be good to goto Jonathan's CleaningPrinters page and look over the second paragraph just for kicks) they could really mess us up by cutting and pasting and changing file names, and deleting and doing all sorts of nasty irreversible stuff...well, until we reimage the machine and put a big "NANNY NANNY BOO BOO (sp?)" Sign on it (not really).

So I poked and prodded and came up with the fact that, if nothing else, we could make the c drive unsavable (minus the explicit exceptions we set up in FGC) and cut off executables on the A,B,D,and E drives.

The problem with cutting off executables on the C drive is that Windows needs the ability to load a gazillion different .DLLs?, *.EXEs?, *.BATs?, and multiple other file types that we probably don't even know about (remember: Bill Gates is the Satan and will take over the world before too long, so the file types they don't tell us about are probably the *real cause of cancer or something like that...), and without the ability to load these, Windows, without exception when I tried, got about 4 seconds past the login screen and then windows goes "WHOOPS! I have an error in my explorer.exe, so I'll just shut down...no one will mind..."

I mean you can add all the privliged apps into the box in fortres, but when you have no idea how many apps are running, or that windows uses to start, and run and so on (since they don't show up in the diagnostic box of Fortress, even with diags running, and "persistently save diagnostics" checked as well.) you can't just level the drive as all files unexecutable.

Obviously that scenario wasn't going to work on a very mainstream level, so I concluded that Fortres wasn't going to cut the mustard. So I poked around on the news://support.fortres.com news group, and found that someone in the great wide open had left a link to an article on a winNT/2k website that dealt with the same problem. The solution there was to diable the ability to browse or even recognize local drives in internet explorer. While this proved to be very accurate, and very secure, the problem is that it does not allow the users to use attachments, or upload anything, or do any of various file services that require the hard drive. Those not to mention the increased effort it would take for us as techsupport to do anything on a computer to fix it if something did go wrong....

(This would still work, if I wasn't going to be crucified by all the students and staff members that it would effect)

(But if we ever did feel really mean, and had a need to affirm our roles as the supreme gods of the computing universe at the law school, that would be a nice, subtle way to prove this without having to do something odd like, say, a total system shutdown---because then our power would be affirmed in a way that looks like we don't know what we're doing...he he he...oops, the bill gates side of me is poking through)...

So basically we have two options...use fortres to cut off the ability to use the hard drive, and therefore not allow windows to load.

Or we can go ahead and set ourselves up for running the unending gauntlet by cutting off local file access completely in Internet Explorer.

OR we can go ahead and think, "Well, these clients (the reason that the EmailPants was written), are probably not going to do anything that is too terrible for about another 6 months (whew! half way to secure network already), or at least nothing that we can't correct by reimaging.

These are the mysterious revelations that have come upon me.

(Allright, so maybe there was a good deal of sarcasm and silliness in there, but I just couldn't quite get into the heroic mindset today)

<h1>**UPDATE**</h1> (For those whacky people that might ever read this.

Fortres has fixed the very problem that we were trying to correct with version 4.1. And amazingly enough, we have 4.1. That problem is corrected on the new 98 lab image and it works beautifully. Their solution was the ability to cut off file browsing with certain applications. There is still the back door of using a programs internal dialogue box (such as the one after File--->Open) that will let them poke around, but they can't save anywhere, and they shouldn't be able to delete anything.