This is the setup I have found works best for me and the computers I manage. 

    1. All lab / student use computers have deepfreeze installed. 
    2. All users have local admin rights on every computer. I set this using group policies. (email me if you want the how-to) 
    3. Instead of mandatory or roaming profiles, I just set the computer up the way I want all users to see and then copy that profile to the default profile. 
    4. I use scriptstart for all logon script options, including drive mapping and printer assignment (opensource, with paid support option): 
    5. I use Group policies for restrictions; I am pretty lax, I just want to prevent them from doing anything malicous. 
    6. For non-deepfreeze computers I will run delprof.exe (part of MS tools) periodically to clean out the profiles. 
    7. I will Ghost as needed in the labs. 
    8. Lately I have setup Edubuntu LTSP and been using old computers and thin clients in classrooms. That has worked out well. 

----- Original Message ----- 
From: "Craig Lyndes" <[log in to unmask]> 
To: [log in to unmask] 
Sent: Wednesday, February 13, 2008 11:02:40 AM (GMT-0500) America/New_York 
Subject: Desktop Security 

Dear Folks, 

I know that this topic has been on the list recently (I have been 
lurking). However at my new job I have observed that their attempt at 
desktop security has some negative consequences that I would like to 
fix. They are currently using Windows Domain Logins with profiles that 
on their older, slower machines make boot-up take up to 5 minutes 
(creating a new profile for each student) and clutter up the hard drives 
with old profiles. 

Cut to the chase - Are there any schools out there that are using Disk 
Imaging as a part of their desktop security system? 

What I am proposing is to have some computers where the users have full 
access to the local machine. They can install plugins, change the 
desktop, do whatever they wish with the computer. If something happens 
to the machine that causes it to become compromised then the computer is 
reimaged from a standard image stored on the network. If you are using 
an imaging solution, which one, what are its benefits and how much does 
it cost? Are there any repercussions to having unlocked desktops (not 
everywhere, but where appropriate and requested)? 

Question #2 - What are people using for desktop security that is 
installed locally on the computer, not a server/login based solution? 

I am not enamored with Windows servers and am thinking of going open 
source for network resources. This would require the machines that need 
to have the desktop managed have something locally installed. I am 
familiar with Deep Freeze, which seems to work very well. I've also 
struggled with Fortress, which I found to be very good at disabling the 
machine upon which it is installed, and therefore a less than ideal 
solution. What are people using? We are using Icon Lock successfully 
on the Win 98 machines (approx 1/3 of the machines still). 

Thanks In Advance 
Craig Lyndes 
Franklin Central SU