Situation:

1. College Environment. AD 2003 Domain, 1,500 XP SP2 Clients.

2. In each computer lab, the professors want to prevent students from browsing internet while they deliver the lectures.

3. I can't afford any classroom software because it's expensive.

My thoughts:

a. Create a GPO and use App Restriction feature in GP to block IE,Firefox (hash method) and link it to that lab OU

b. Create a script and make a shortcut on instructor desktop so he or she can link/unlink that GPO.

c. Use a utility called BeyondExec to send "gpupdate /force" to all of the computers in that lab.


I am a newbie in scripting so I can't write a "nice" script right now. Please advise me of what I should do to make it work best in situation like this. Thank you very much.

P.S

Regarding the idea of enable/disable a GPO, I got it from Mr. Moskowitz's 2003 book which I bought last November;Chapter 07. Scripting GPMC Operations. At first I've been spending time to search if I can do anything about "one" setting in a GPO. After reading that chapter I found out that I can only link/unlink a GPO, not a specific setting. The book is great. Thanks Mr. Moskowitz


beyondexec is a free util and can be downloaded at here