Hi. My situation is, we have public access workstations running W2kPro, connected to a Win2kServer network evironment. It is a pure Active Directory environment, with the public workstations and accounts in their own organizational unit, and their own group policy. We would like to disallow the users to write to anything other than the local floppy disk drive, and while the group policy restricts the harddrive from explorer, users can still get into directories using Office, IE, etc. I’d like to create a script (or perhaps some other suggestion of doing this) that automatically creates entries in the ACL for all the directories that allows read only (except to certain things that need to be read/write, obviously). Basically, I don’t want them to be able to save things to the desktop, my documents, or anywhere on the harddrive. The group pol doesn’t restrict this enough, and I’d like to avoid physically setting up each workstation with manual entries. Can someone advise me or point me in the right direction? a script seems like the best way to do this, but I haven’t found a really solid guide that helps me find what i need to do. Thanks!