Here is what you can do with a hosts file http://www.mvps.org/winhelp2002/hosts.htm For GPO in TS check out http://technet.microsoft.com/en-us/library/cc776790.aspx http://www.windowsnetworking.com/articles_tutorials/Terminal-Services-Group-Policy.html http://www.msterminalservices.org/articles/Managing-Terminal-Services-Group-Policy.html http://support.microsoft.com/kb/260370 http://www.dabcc.com/blogs/jeff/post/Blast-from-the-Past-Understanding-Group-Policy-in-a-Terminal-Services-Environment Jim Kenzig Blog: http://www.techblink.com On Wed, Nov 12, 2008 at 9:55 AM, Doug Rooney <Doug@xxxxxxxxxxxxxxxxxxxx>wrote: > Nick, > > They do need to run Firefox to access the Internet, for FedEx, UPS and DHL, > they also need to run many compiled Crystal Reports. They do not have > e-mail, ftp and telnet are locked down at the firewall, incoming and > outgoing, and the terminals have no disk drives or usable USB ports, so I > think if we restrict the IPs, it will help, but I would like to do some > things in the GPO, I just do not have the knowledge on how, so I don't as I > do not want to totally screw up my AD. Can you recommend a resource for > learning? I came from a Unix world. J > > > > Thank You > > -Doug Rooney > Sonoma Tilemakers > IT Systems Administrator > 7750 Bell Rd. > Windsor Ca, 95492 > (707) 837-8177 X11 > (707) 837-9472 FAX > it@xxxxxxxxxxxxxxxxxxxx > > > > *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Nick Smith > *Sent:* Wednesday, November 12, 2008 2:16 AM > > *To:* 'thin@xxxxxxxxxxxxx' > *Subject:* [THIN] Re: Terminal Session security question > > > > Doug, > > If you allow your users to run executables they will. Via email, web, ftp, > from their fat disks, hey, telnet; someone will find a way. > > > > Use GPO to allow only approved executables to run and you don't need to > worry about the rest. > > > > I found this quite scary until I actually tried it, and then I just > breathed easier. > > > > Nick > > > > *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Jim Kenzig http://thin.ms > *Sent:* 11 November 2008 18:22 > *To:* thin@xxxxxxxxxxxxx > *Subject:* [THIN] Re: Terminal Session security question > > > > Nope just dhl.com will suffice. Yeah they might be able to circumvent > with an IP but if the site is set up right it should convert it to a domain > and lock it out. > Jim Kenzig > Blog: http://www.techblink.com > > On Tue, Nov 11, 2008 at 1:13 PM, Doug Rooney <Doug@xxxxxxxxxxxxxxxxxxxx> > wrote: > > Jim, > > I was thinking of doing that, but for example DHL has several valid IP > addresses for www.dhl.com, do I have to figure out and enter every valid > possibility, and then how do I tell it everything else goes to 127.0.0.1, > also if they type in an IP, I am guessing this will not work? > > > > Thank You > > -Doug Rooney > Sonoma Tilemakers > IT Systems Administrator > 7750 Bell Rd. > Windsor Ca, 95492 > (707) 837-8177 X11 > (707) 837-9472 FAX > it@xxxxxxxxxxxxxxxxxxxx > > > > *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Jim Kenzig http://thin.ms > *Sent:* Tuesday, November 11, 2008 9:20 AM > *To:* thin@xxxxxxxxxxxxx > *Subject:* [THIN] Re: Terminal Session security question > > > > Use the windows hosts file to control which urls they can and can't get to. > Point the rogue sites to 127.0.0.1 and they will never get there > Jim Kenzig > Blog: http://www.techblink.com > > On Tue, Nov 11, 2008 at 12:11 PM, Doug Rooney <Doug@xxxxxxxxxxxxxxxxxxxx> > wrote: > > > > > > ************************************************ > > > > >