This is the setup I have found works best for me and the computers I manage.
  1. All lab / student use computers have deepfreeze installed.
  2. All users have local admin rights on every computer.  I set this using group policies. (email me if you want the how-to)
  3. Instead of mandatory or roaming profiles, I just set the computer up the way I want all users to see and then copy that profile to the default profile.
  4. I use scriptstart for all logon script options, including drive mapping and printer assignment (opensource, with paid support option):
  5. I use Group policies for restrictions;  I am pretty lax, I just want to prevent them from doing anything malicous.
  6. For non-deepfreeze computers I will run delprof.exe (part of MS tools) periodically to clean out the profiles.
  7. I will Ghost as needed in the labs.
  8. Lately I have setup Edubuntu LTSP and been using old computers and thin clients in classrooms.  That has worked out well.

----- Original Message -----
From: "Craig Lyndes" <[log in to unmask]>
To: [log in to unmask]
Sent: Wednesday, February 13, 2008 11:02:40 AM (GMT-0500) America/New_York
Subject: Desktop Security

Dear Folks,

I know that this topic has been on the list recently (I have been
lurking).  However at my new job I have observed that their attempt at
desktop security has some negative consequences that I would like to
fix.  They are currently using Windows Domain Logins with profiles that
on their older, slower machines make boot-up take up to 5 minutes
(creating a new profile for each student) and clutter up the hard drives
with old profiles.

Cut to the chase - Are there any schools out there that are using Disk
Imaging as a part of their desktop security system?

What I am proposing is to have some computers where the users have full
access to the local machine.  They can install plugins, change the
desktop, do whatever they wish with the computer.  If something happens
to the machine that causes it to become compromised then the computer is
reimaged from a standard image stored on the network.  If you are using
an imaging solution, which one, what are its benefits and how much does
it cost?  Are there any repercussions to having unlocked desktops (not
everywhere, but where appropriate and requested)?

Question #2 - What are people using for desktop security that is
installed locally on the computer, not a server/login based solution?

I am not enamored with Windows servers and am thinking of going open
source for network resources.  This would require the machines that need
to have the desktop managed have something locally installed.  I am
familiar with Deep Freeze, which seems to work very well.  I've also
struggled with Fortress, which I found to be very good at disabling the
machine upon which it is installed, and therefore a less than ideal
solution.  What are people using?  We are using Icon Lock successfully
on the Win 98 machines (approx 1/3 of the machines still).

Thanks In Advance
Craig Lyndes
Franklin Central SU