Nick, They do need to run Firefox to access the Internet, for FedEx, UPS and DHL, they also need to run many compiled Crystal Reports. They do not have e-mail, ftp and telnet are locked down at the firewall, incoming and outgoing, and the terminals have no disk drives or usable USB ports, so I think if we restrict the IPs, it will help, but I would like to do some things in the GPO, I just do not have the knowledge on how, so I don't as I do not want to totally screw up my AD. Can you recommend a resource for learning? I came from a Unix world. J Thank You -Doug Rooney Sonoma Tilemakers IT Systems Administrator 7750 Bell Rd. Windsor Ca, 95492 (707) 837-8177 X11 (707) 837-9472 FAX it@xxxxxxxxxxxxxxxxxxxx From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Nick Smith Sent: Wednesday, November 12, 2008 2:16 AM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Re: Terminal Session security question Doug, If you allow your users to run executables they will. Via email, web, ftp, from their fat disks, hey, telnet; someone will find a way. Use GPO to allow only approved executables to run and you don't need to worry about the rest. I found this quite scary until I actually tried it, and then I just breathed easier. Nick From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Kenzig http://thin.ms Sent: 11 November 2008 18:22 To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Terminal Session security question Nope just dhl.com will suffice. Yeah they might be able to circumvent with an IP but if the site is set up right it should convert it to a domain and lock it out. Jim Kenzig Blog: http://www.techblink.com On Tue, Nov 11, 2008 at 1:13 PM, Doug Rooney <Doug@xxxxxxxxxxxxxxxxxxxx> wrote: Jim, I was thinking of doing that, but for example DHL has several valid IP addresses for www.dhl.com, do I have to figure out and enter every valid possibility, and then how do I tell it everything else goes to 127.0.0.1, also if they type in an IP, I am guessing this will not work? Thank You -Doug Rooney Sonoma Tilemakers IT Systems Administrator 7750 Bell Rd. Windsor Ca, 95492 (707) 837-8177 X11 (707) 837-9472 FAX it@xxxxxxxxxxxxxxxxxxxx From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Kenzig http://thin.ms Sent: Tuesday, November 11, 2008 9:20 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Terminal Session security question Use the windows hosts file to control which urls they can and can't get to. Point the rogue sites to 127.0.0.1 and they will never get there Jim Kenzig Blog: http://www.techblink.com On Tue, Nov 11, 2008 at 12:11 PM, Doug Rooney <Doug@xxxxxxxxxxxxxxxxxxxx> wrote: ************************************************