Sounds like you're most worried about someone walking over to these laptops
and using them?

I'd suggest a 5-minute timeout on the screen saver, and training the users
to lock the machine (windows key+L) every time they step away from it. Even
something as simple as closing the laptop's lid so it goes into standby mode-
and then, requiring a password to come out of standby mode- may work. These
methods could be bothersome to use- but I'd rather be bothered then insecure.

Of course, the biggest issue is that these laptops are being left unattended
in the first place! Definately look into EFS, because EFS can prevent a
stolen laptop problem from turning into a worse problem- stolen data. Stolen
data is what winds up on the front page of newspapers!

Now if you could acquire a Windows 2003 Server (even by beefing up an old
server from an online auction), you could set up a D: drive for everyone's
documents (and nothing else). You could enable Shadow Copies on the D:
drive. Redirect their Documents folders onto the D: drive. Set up
Certificate Services on the server to centrally manage everyone's EFS keys
(instead of trusting USB sticks). Enable "offline files" for the mobile
users, and encrypt the offline files datastore with EFS. Finally, enforce
the screen saver password through Group Policy. I would think (but I'm not
sure so you'd have to test this!), in that case, that a mobile "disconnected"
laptop could not restore Previous Versions if the deleted files had been
associated with the server- this is because the server is storing all of the
previous versions from its own D: drive, and the laptop is just using the VSS
client.

"jimmuh" wrote:

> Thank you for the suggestions. I've considered using second drives /
> partitions, removable drives, and encryption with keys kept on USB memory
> devices. For various reasons having to do with the nature of donated
> equipment (new, but limited in flexibility) none of them is quite suitable to
> the particular purpose, though encryption comes closest.
>
> This due diligence issue is one for protection of the lawyers more than the
> protection of the clients, and it really isn't a matter of them being lazy.
> There are circumstances where a lawyer and clients are operating under
> extreme stress. If it's sufficient to be sure that the notebook is not left
> unattended for more than a couple of minutes, then it's sufficient. It would
> be hard to explain without a pretty thorough explanation of their working
> methods. But it is extremely important to have the technology be as
> unintrusive as possible. These are good guys giving their time for free to
> take care of folks who have no other access to legal help of this particular
> type.
>
> "DevilsPGD" wrote:
>
> > In message <C4BFE233-461C-4CC7-8C18-34B88BBD2900@microsoft.com> jimmuh
> > <jimmuh@discussions.microsoft.com> wrote:
> >
> > >No, in other words there is a concept called "due diligence" at work here. It
> > >is impossible make any system perfectly secure. But there's a hell of a
> > >difference between being able to do a casual inspection and retrieve previous
> > >versions through a folder's properties dialog on a machine inadvertantly left
> > >unattended for a few minutes and having to use forensics to get the same
> > >data. The difference is recognized quite widely in court. And these guys are
> > >-- well, lawyers.
> >
> > Understood, to a point -- Recovering files from a "oops I deleted it by
> > accident" point of view is unreliable. Undeleting files from a "The
> > rest of a client's life or livelihood depends on these files being gone"
> > is trivially simple for someone with relatively few skills (and access
> > to Google to find a tool to do it)
> >
> > I would hope my lawyer does more then the minimum required to qualify as
> > due diligence.
> >
> > That being said, there are a few options...
> >
> > The easiest would be a second logical drive (physical or partition)
> > which doesn't use Shadow copies. You could even mount that partition
> > into the user's Documents directory, or redirect their Documents to an
> > appropriate location.
> >
> > Better yet would be solution using encryption, which would only require
> > you to destroy the keys to effectively remove access to the data.
> > --
> > Insert something clever here.
> >