For controlling drive mapping, you may be able to create a Citrix policy that controls drive mapping and apply/deny it based on the client's IP. Software Restriction Policies are incredibly powerful. Much better than the "Don't run specified Windows applications" GPO and AppSec. -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Angela Smith Sent: Tuesday, December 19, 2006 7:28 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Citrix Lockdowns Malcom What MS policy settings do you use to catch the 95%?? We would prefer the users to use the Citrix client as they have it installed and we have had issues with Java versions in the past. If I created a new ICA connection, can I somehow direct external users to use that ICA connection (perhaps via AD group membership). This would allow me to have a more locked down configuration for external users and internal users would be unaffected. Is this possible? Thanks >From: "Malcolm Bruton" <malcolm.bruton@xxxxxxxxxxxxxxxxxx> >Reply-To: thin@xxxxxxxxxxxxx >To: <thin@xxxxxxxxxxxxx> >Subject: [THIN] Re: Citrix Lockdowns >Date: Tue, 19 Dec 2006 04:29:14 -0500 > >Easiest way would be to use the java clients only. Configure Web >interface so the java client will not map local drives and disallow copy and pasting. >etc. You could change the ICA connection properties to do this but I >would assume that you have internal users connecting to that same >server so that is probably not an option. > >There are holes in bith citrix polices and MS policies. We use MS >policies (mainly becuase we are on MF XP still) Using MS policies does >allow you to get 95% of the easy stuff to be locked down. To get 100% >you need to use a third party. > >________________________________ > >From: thin-bounce@xxxxxxxxxxxxx on behalf of Angela Smith >Sent: Tue 19/12/2006 04:08 >To: thin@xxxxxxxxxxxxx >Subject: [THIN] Citrix Lockdowns > > > >Hi > >I am looking at locking down our Citrx farm for all Remote Users. I >have 2 issues I was hoping to get some information on: > >1) Is there a way to restrict users from copying files in a citrix >session to their local drives. Here is my scenario.. > >A user will connect to our Citrix Presentation Server 4 farm using Web >Interface. If they open Windows Explorer (on Citrix) they can right >click a file on the corporate network, select copy then minimise the >published application and can paste in their local Windows Explorer. >These users have a Citrix client installed. The Web Interface is setup >to use a Citrix Client with Java as fallback. > >2) Has anyone implemented a Software Restriction Policy on Citrix? Does >it work or should I use the "Don't run specified Windows applications" >GPO?? I want to restrict all executables except for Internet Explorer >and MS Office apps. Whats the best way for me to do this? > >Thanks >Angela > >_________________________________________________________________ >Advertisement: Fresh jobs daily. Stop waiting for the newspaper. Search >Now! >www.seek.com.au >http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fninemsn%2Eseek%2Ecom%2E >au&_t=757263760&_r=Hotmail_EndText_Dec06&_m=EXT > >SBC SITES ONLY GOOGLE SEARCH: http://www.F1U.com <http://www.f1u.com/> >************************************************ >For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation >mode use the below link: >//www.freelists.org/list/thin >************************************************ > > ><< winmail.dat >> _________________________________________________________________ Advertisement: Mobiles, computers, handsets, iPODs and more! http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fwww%2Etradingpost%2Ecom% 2Eau%2Fsearch%2Fcat%5FPhones%5Fns%5FTrue%5Foff%5F0%5Fsect%5FAutomotive%5 Fsort%5FotRZSQ1BJDZfdRZSQSearchDisplayPriorityIndAVSCotRZSQ1BJDZfdRZSQFi rstPublished%5Fsqt%5F2%5Fsrch%5Fmobile%2Bphones%5Fsrchtype%5Fint%5Fstate %5F9%5Fstpg%5F1%5Fsubs%5FUsed%2BCars%5F%3Freferrer%3Dplacement13&_t=7595 68604&_r=Email_Tagline1&_m=EXT SBC SITES ONLY GOOGLE SEARCH: http://www.F1U.com ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************ SBC SITES ONLY GOOGLE SEARCH: http://www.F1U.com ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************