We are currently upgrading to DTM 6.5

We are dealing with the issue of how to make sure that our users get GP but if we log in as workstation only we don't.

Previously we created a group on the workstation that had deny read to the group policy directory under system32 and we'd put admin in that group but our level 2 guys found that that putting users in that group was a great way to open up the desktop for the user thus circumventing GP so we're trying to avoid that.

I was hoping the "Cache User Configuration" would mean that GP would live under users individual accounts on the WS and so
afterwards when I logged on as workstation only I wouldn't get a GP.
No cigar.
When I log in as workstation only (as a different user) I get the GP. I assume because it's been cached?

Is this the way it's meant to work? Has anyone got a better idea of how to do this.

Thanks in advance,


P.S. Also. The section in the doco that refers to "persistent and volatile" group policy settings. Does that only apply to the workstation package?