Is there any "safe" way for a public computer to allow user installs?

MaloK said:

Yes, you can use software like DeepFreeze as long as the softwares installed does not need to reboot to work.

Then ask the users to reboot after uses to clear up their traces.

That looks interesting. I didn't know it existed. I've just had a look at their site. Without that, though, allowing users to install on a public network is strictly a no go area, and should never be allowed.

That said, if DeepFreeze (Links to PDF Brochure download) works as I think it does, what a terrific innovation! Love it. What a clever idea!

Christophe

MaloK said:

It's been around since the 2000, frozen computers will always start with a fresh Windows until something breaks.

You can delete windows directory it will be back on reboot.

You can also achieve the same results with the Windows Enhanced Write Filter or Windows 10 Unified Write Filter. But it is a lot more complicated than using DeepFreeze.

Well, looking at prices and spec, it looks on the surface to be a perfect solution to this OPs question. I'm just glad that I know about it myself now as I can think of a couple of uses for projects I'm involved with. It's such an elegant and far-sighted idea to have had that is open-minded and recognises that something positive can be done to facilitate what must be, after all, quite a popular request.

I also salute the OP @JOSHSKORN for having the vision to think about this for his own users. Not many would. They just say NO it can't be done.

It's actually amasing what can be done with an open mind.

Christophe

@JOSHSKORN -

True story...

I have used Deep Freeze (and others) for a local library way back. It's excellent if it is setup properly, especially for the AV and FW (critical.)

However, there is a deeper issue (out of many) which must be considered:

"Well, I tried editing my Word document and now it's corrupted. This is all your fault."

Yes, you can secure the computer to an extent but what about liability?

This is something to consider - ensure that Deep Freeze is setup with a Liability Disclaimer with every login to the system.

One more thing...

Ensure that nobody can boot with a USB, CD-R, etc,, to bypass the security. I have used Tails many times to get around that!

FWIW.

JOSHSKORN said:

Lets say you have a set of 100 public computers in a public space, and would like to open up one of these computers to allow users to install whatever software they want, within reason. Mainly, these would be users wanting to install an application from either a CD or USB which they'd received from a medical office to view test results, or applications of similar situations. I do realize the point of such tight security, preventing EXEs to run on public machines is in place to help prevent viruses and other forms of malicious code.

Is this even possible? Considering most apps need an internet connection anyways to register, and a connection to the internet or much less, network is a concern when taking chances installing something unfamiliar on a PC, potentially harming other PCs on that network.

It's not secure on it's own because that one computer could infect other networked computers.

What would work is to limit installation only to digitally signed programs.
To make such restriction you can use application control (new version and hard) or application locker (old version and easy) to limit software being installed or run:

For application control setup see:
https://docs.microsoft.com/en-us/win...cation-control

For application locker setup see:
https://docs.microsoft.com/en-us/win...ocker-overview