Again, the reason why none of the usual solutions that appeal to us as IT
people will work has to do with the niceties of human interaction. I'm not
looking for a solution here, because of this particular design feature. A
lawyer going over information on the notebook with a client gets a call or
goes to the door to talk with someone else and steps away from the notebook
for a moment. Let's just say that, under the particular social situation, it
just isn't acceptable for him to lock the system or take it with him. It just
isn't. That is their unanimous opinion, and I have to respect that. They have
to delete anything they don't want seen, and they accept that. What they
couldn't accept was that someone sitting at their computer could, within a
few seconds, retrieve files that they had deleted whilst preparing for the
meeting. It was deleted for a reason. So, unfortuately we have to do without
system restore because of the way system restore and the previous versions
features are intertwined in Vista.

This morning I checked and found some controls for Previous Versions
behavior under Administrative Templates | Windows Components | Windows
Explorer in the group policy editor. It looks as though that's going to do
this particular trick very nicely.

There's usually more than one way to skin a cat. So, Scott Adams, you might
take a looke there to see if those might be of use to you. They're just about
perfect for my particular circumstance, but may not be as well-suited for
your purposes. And, of course, you would have to be running Vista version(s)
that have the policy editor.

"Thomas H" wrote:

> Sounds like you're most worried about someone walking over to these laptops
> and using them?
>
> I'd suggest a 5-minute timeout on the screen saver, and training the users
> to lock the machine (windows key+L) every time they step away from it. Even
> something as simple as closing the laptop's lid so it goes into standby mode-
> and then, requiring a password to come out of standby mode- may work. These
> methods could be bothersome to use- but I'd rather be bothered then insecure.
>
> Of course, the biggest issue is that these laptops are being left unattended
> in the first place! Definately look into EFS, because EFS can prevent a
> stolen laptop problem from turning into a worse problem- stolen data. Stolen
> data is what winds up on the front page of newspapers!
>
> Now if you could acquire a Windows 2003 Server (even by beefing up an old
> server from an online auction), you could set up a D: drive for everyone's
> documents (and nothing else). You could enable Shadow Copies on the D:
> drive. Redirect their Documents folders onto the D: drive. Set up
> Certificate Services on the server to centrally manage everyone's EFS keys
> (instead of trusting USB sticks). Enable "offline files" for the mobile
> users, and encrypt the offline files datastore with EFS. Finally, enforce
> the screen saver password through Group Policy. I would think (but I'm not
> sure so you'd have to test this!), in that case, that a mobile "disconnected"
> laptop could not restore Previous Versions if the deleted files had been
> associated with the server- this is because the server is storing all of the
> previous versions from its own D: drive, and the laptop is just using the VSS
> client.
>
> "jimmuh" wrote:
>
> > Thank you for the suggestions. I've considered using second drives /
> > partitions, removable drives, and encryption with keys kept on USB memory
> > devices. For various reasons having to do with the nature of donated
> > equipment (new, but limited in flexibility) none of them is quite suitable to
> > the particular purpose, though encryption comes closest.
> >
> > This due diligence issue is one for protection of the lawyers more than the
> > protection of the clients, and it really isn't a matter of them being lazy.
> > There are circumstances where a lawyer and clients are operating under
> > extreme stress. If it's sufficient to be sure that the notebook is not left
> > unattended for more than a couple of minutes, then it's sufficient. It would
> > be hard to explain without a pretty thorough explanation of their working
> > methods. But it is extremely important to have the technology be as
> > unintrusive as possible. These are good guys giving their time for free to
> > take care of folks who have no other access to legal help of this particular
> > type.
> >
> > "DevilsPGD" wrote:
> >
> > > In message <C4BFE233-461C-4CC7-8C18-34B88BBD2900@microsoft.com> jimmuh
> > > <jimmuh@discussions.microsoft.com> wrote:
> > >
> > > >No, in other words there is a concept called "due diligence" at work here. It
> > > >is impossible make any system perfectly secure. But there's a hell of a
> > > >difference between being able to do a casual inspection and retrieve previous
> > > >versions through a folder's properties dialog on a machine inadvertantly left
> > > >unattended for a few minutes and having to use forensics to get the same
> > > >data. The difference is recognized quite widely in court. And these guys are
> > > >-- well, lawyers.
> > >
> > > Understood, to a point -- Recovering files from a "oops I deleted it by
> > > accident" point of view is unreliable. Undeleting files from a "The
> > > rest of a client's life or livelihood depends on these files being gone"
> > > is trivially simple for someone with relatively few skills (and access
> > > to Google to find a tool to do it)
> > >
> > > I would hope my lawyer does more then the minimum required to qualify as
> > > due diligence.
> > >
> > > That being said, there are a few options...
> > >
> > > The easiest would be a second logical drive (physical or partition)
> > > which doesn't use Shadow copies. You could even mount that partition
> > > into the user's Documents directory, or redirect their Documents to an
> > > appropriate location.
> > >
> > > Better yet would be solution using encryption, which would only require
> > > you to destroy the keys to effectively remove access to the data.
> > > --
> > > Insert something clever here.
> > >