1. Disable the Ability to Right Click on the
Desktop (All Windows)This tweak removes the
context menu that would normally appear when the user right clicks on the
desktop or in the Explorer right results pane.
Create a new DWORD value, or modify the existing value called
'NoViewContextMenu' using the settings below. | Settings: |
| User Key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] |
System Key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
|
| Name:
NoViewContextMenu |
Type: REG_DWORD
(DWORD Value)
|
Value: (0 =
disabled, 1 = enabled)
|
2. Enable Advanced File System and Sharing
Security (Windows XP
Professional)This setting is used to
enable the ability to control advanced NTFS permissions on local and shared
files. Create a new DWORD value, or modify the existing value called 'ForceGuest' using
the settings below. Note: This tweak is only available for Windows XP Professional Edition,
due to restrictions users of the XP Home Edition are not able to access NFTS
permissions through the GUI.
| Settings: |
| System Key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] |
| Name:
ForceGuest |
| Type: REG_DWORD
(DWORD Value) |
| Value: (1 =
default, 0 = advanced permissions) |
3. Restrict the Screen Saver (Windows
2000/XP)This restriction can be
used to specify the screen saver or to stop screen savers from running. Also,
the Screen Saver settings page is disabled, so users cannot change the screen
saver options. Create a new DWORD value called "ScreenSaveActive" and set it to "0" to
disable all screen savers.
Alternatively create a new string value called "SCRNSAVE.EXE" and set it to
the executable name of a valid Windows screen saver file, including the .scr
extension. This will only be used if "ScreenSaveActive" is set to "1" or deleted
from the registry.
| Settings: |
User Key:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control
Panel\Desktop]
|
Name:
ScreenSaveActive, SCRNSAVE.EXE
|
| Type: REG_DWORD
(DWORD Value) |
Value: (0 =
disable screen savers, 1 = default)
|
4. Screen Saver Password Protection
Policy (Windows
2000/XP)
This restriction
determines whether the screen saver is password protected and prevents users
from changing the password-protection setting.
Create a new DWORD valued called "ScreenSaverIsSecure" and set it to a value
from the table below.
(Not in registry) - Users can turn password-protection on and off.
0 - Screen savers are not password-protected.
1 - All screen savers are password-protected.
| Settings: |
| User Key:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control
Panel\Desktop] |
| Name:
ScreenSaverIsSecure |
| Type: REG_DWORD
(DWORD Value) |
5. Specify the Background Image and Wallpaper
Style (Windows
2000/Me/XP)
These settings allow
you to specify the background wallpaper and display style. When this setting is
defined users can not choose an alternative background image.
To specify the wallpaper create a new string value called "Wallpaper" and set
it to the full path and filename of the image.
Additionally, to specify the display style, create a new string value called
"WallpaperStyle" and set it to either "0", "1" or "2" according to the list
below.
- 0 - Centered (Default)
- 1 - Tiled
- 2 - Stretched
| Settings: |
| User Key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] |
| Name: Wallpaper,
WallpaperStyle |
| Type: REG_SZ
(String Value) |
6. Enforce Shell Extension Security
(All
Windows)This restriction can be
used to limit the system to only run files that have an approved shell
extension. Create or modify the DWORD value called "EnforceShellExtensionSecurity" and
set it to "1" to enable the restriction or "0" to disable it.
The approved shell extenstions are defined under the
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved] key.
| Settings: |
| User Key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] |
| System Key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] |
Name:
EnforceShellExtensionSecurity
|
| Type: REG_DWORD
(DWORD Value) |
Value: (0 =
default, 1 = enable security)
|
7. Secure Desktop Restriction (Windows
2000/XP)This restriction is
used to stop interactive users from snooping on other user sessions by
exploiting a Windows vulnerability. This feature is enabled by default but may
interfere with some software applications. Create a new DWORD value, or modify the existing value called 'SecureDesktop'
using the settings below.
Note: This fix was first included in Windows 2000 Service Pack 1.
| Settings: |
| System Key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] |
| Name:
SecureDesktop |
| Type: REG_DWORD
(DWORD Value) |
Value: (0 =
insecure, 1 = secure)
|
8. Remove the Distributed File System
Tab (Windows
2000/XP)
This restriction
removes the Distributed File System (DFS) tab from Windows explorer. This
prevents users from viewing or changing the properties of local DFS
shares.
Create a new DWORD value, or modify the existing value called 'NoDFSTab' using
the settings below.
| Settings: |
| User Key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] |
| Name:
NoDFSTab |
| Type: REG_DWORD
(DWORD Value) |
Value: (0 =
default, 1 = enable restriction)
|
9. Remove the Security Tab (Windows XP)
This restriction
removes the Security tab from Windows explorer which prevents users from
accessing or changing the security permissions of folder and file
objects. Create a new DWORD value, or modify the existing value called 'NoSecurityTab'
using the settings below. | Settings: |
User Key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
|
| Name:
NoSecurityTab |
| Type: REG_DWORD
(DWORD Value) |
Value: (0 =
default, 1 = enable restriction)
|
10. Remove the Hardware Tab (Windows
2000/XP)This restriction
removes the hardware tab from applicable items in the Control Panel and from the
local drive properties. This prevents users from changing the hardware device
properties. Create a new DWORD value, or modify the existing value called 'NoHardwareTab'
using the settings below. | Settings: |
User Key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
|
| Name:
NoHardwareTab |
Type: REG_DWORD
(DWORD Value)
|
| Value: (0 =
default, 1 = enable restriction) |
11. Disable the New Menu Item (All Windows)This tweak can be used
to disable the ability to use the New menu item to create new objects using
explorer.
Rename the key by placing a dash "-" in front of the GUID (i.e.
{-D969A300-E7FF-11d0-A93B-00A0C90F2719}).| Settings: |
System Key:
[HKEY_CLASSES_ROOT\CLSID\{D969A300-E7FF-11d0-A93B-00A0C90F2719}]
|
12. Disable the Ability to Customize
Toolbars (All Windows)By right clicking on a
toolbar you are usually given the option to Customize, which allows you to
change which functions are available from the toolbar. This tweak allows you to
disable that function. Create a new DWORD value named "NoToolbarCustomize" and set the value to "1" to
disable the ability to customize the toolbars. | Settings: |
| User Key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] |
System Key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
|
Name:
NoToolbarCustomize
|
| Type: REG_DWORD
(DWORD Value) |
Value: (1 =
enable restriction)
|
13. Remove the Option to Change or Hide
Toolbars (All Windows)By default users are
able to select which toolbars are displayed either be right clicking the toolbar
itself, or by changing the options from the View menu. This tweak locks the
toolbars, removing the ability to change which are displayed. Create a new value named "NoBandCustomize" and set it to equal "1" to enable the
restriction.| Settings: |
User Key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
|
| System Key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] |
| Name:
NoBandCustomize |
| Type: REG_DWORD
(DWORD Value) |
Value: (1 =
enable restriction)
|
