Enable the Restricted Workbench Service to provide a restricted environment in which all Lotus® Expeditor users are limited to the applications and operating system services that you, as administrator, have configured.
When the Restricted Workbench Service is enabled and a user without administration privileges logs on to the operating system, the Lotus Expeditor is launched and the Restricted Workbench Service is automatically enabled. For non administrative users, the Lotus Expeditor replaces Windows® Explorer as the desktop shell on Windows systems. On Linux® systems, the Lotus Expeditor replaces the GNOME Window Manager's default session. The following restrictions are imposed on the Workbench:
- The Workbench alters its behavior, look, and feel, as follows:
- No title bar
- No sizing borders
- Maximized to fill the screen
- Pinned down in the Z-order such that no other windows can be drawn beneath it
- Cannot be closed, re-sized, or minimized
- The menu sequence File -> Exit is removed from the Menu Bar
- The user is not able to gain access to the file system except through items contributed to the shared contribution areas of the Workbench (Cool Bar, Menu Bar, or Application Switcher Bar).
- The user is not able to gain access to any native applications except through items contributed to the Application Launcher.
- The user is not able to gain access to any operating system functions (for example, screen lockup, logoff, shutdown, change locale) except for the use of the Alt + Tab key combination to navigate between open native windows and through items contributed to the shared contribution areas of Workbench (Menu Bar and/or Eclipse Preference Pages)
- The user is blocked from performing the following key-stroke combinations:
Alt + F4, which closes the window with focus. This is only blocked on the Lotus Expeditor window; other windows can still be closed with Alt + F4. Linux:
Ctrl + Shift + Esc, which opens the Windows Task Manager. Task Manager lets you stop processes (including Lotus Expeditor).
Windows Logo Key + L, which locks the display.
Ctrl + Alt + Delete, which displays the Windows Security dialog. The Window Security dialog is not blocked but all the buttons except for Cancel are disabled.
Alt + Ctrl + Backspace, which terminates the gnome session.
Alt + Ctrl + (F1 through F12), which switches between virtual terminals.
The Windows XP operating system introduced the notion of "Use Fast User Switching" to change credentials but not fully logout and exit all running applications. If these settings are enabled, the system security policy is also altered to provide a more streamline experience for the users. When running the Lotus Expeditor in Restricted Workbench mode, it is recommended you disable the "Welcome Screen" and "Use Fast User Switching" settings to further increase your administrator control over the system. For instance, if these settings are enabled, and a system screensaver is set, once the screensaver activates and then is deactivated, the user will be presented with a dialog allowing him or her to shutdown or logoff the system. Another modification relates to the Ctrl
key sequence, which presents a Windows Security dialog. If the Lotus Expeditor Restricted Workbench is installed, and the "Welcome Screen" and "Use Fast User Switching" settings are disabled, the only option available to the user on this dialog is Cancel
. However, if the "Welcome Screen" and "Use Fast User Switching" options are enabled, the user will again have the ability to logoff or shutdown the system. When installing the Restricted Workbench, these settings are automatically disabled to provide a more secure environment.
To verify these settings, perform the following steps:
- Click Start -> Control Panel.
- Click the User Accounts control panel.
- Click Change the way users log on or off.
- Modify the Welcome Screen and Use Fast User Switching options accordingly.
- Click Apply Options.
Additionally, the default Administrator Windows XP account should not be used to install the Lotus Expeditor Restricted Workbench. It is recommended that you create a secondary administrative user account and use this account to install the Restricted Workbench environment.
For more information, see Installing with the Restricted Workbench Service
Parent topic: Understanding Expeditor Client runtime configuration: XPD621