I have to publish a single application via RDP to anonymous users. The server(s) are Windows 2008 R2 and the user connection is handled using Ericom's WebConnect Solution. Which does not change much – for the Terminal Server it is still an normal RDP connection.

Question

Can a Windows 2008 R2 Terminal Server isolate parallel sessions of the same user at all? Or do I have to put the application in a sort of sandbox?

Setup

To enable a unknown visitor to connect to the application, a generic Domain Guest user account named visitor is used. To allow more than one parallel session per server I disabled the setting Restrict each user to a single session.

I now want that each visitor get's a fresh session. To be specific: The user connects, the configured applications starts, the users works with it, makes changes (saved to the registry), closes the application and the session get's discarded. I set up a group policy so that the user will only get a temporary profile that will not be synced back into the roaming profile via Delete cached copies of roaming profiles and Prevent Roaming Profile changes from propagating to the server.

Issue

The above works fine as long as there is only one visitor connected to a server at a time. The main problem rises if there are more simultaneous users, say visitor #1 and visitor #2. These share the same environment – the user's registry among other things. So the two instances affect each other, which is bad.

A secondary issue is that a recently closed connection can be resumed by another user. This must not be possible. (I'm still looking for a way to prevent this, but it's not the main question here. We will probably forbid reconnection at all.)

Security is no big concern in this scenario. But we want to make sure every user sees the same.

Thanks