Policy Restriction
Start Menu and Taskbar Restrictions
1. Disable Registry Editing Tools
(All
Windows)
This restriction
disables the ability to interactively run the standard Microsoft registry
editing tools such as REGEDIT and REGEDT32.
Create a new DWORD value named 'DisableRegistryTools' and set the value to '1'
to disable registry editing functions. This can also be enabled on a
user-by-user basis by putting the same value in the [HKEY_CURRENT_USER] tree.
Settings: | User Key:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] | Name:
DisableRegistryTools | Type: REG_DWORD
(DWORD Value) | Value: (0 =
allow regedit, 1 = disable regedit) |
2. Disable the Windows Hotkeys (All
Windows)
This restriction allows
you to disable the use of the Windows hotkey combinations that provide shortcuts
to the Start Menu and task swapping.
Create a new DWORD value, or modify the existing value called 'NoWinKeys' set
the value to equal '1' to enable the restriction.
Settings: | User Key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] | System Key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] | Name:
NoWinKeys
| Type: REG_DWORD
(DWORD Value) | Value: (0 =
disable restriction, 1 = enable restriction) |
3. Restrict Access to the Windows Update
Feature (All Windows)
The Windows Update
feature allows users to easily update Windows components and software over the
Internet. These settings allow can be used to grant or restrict access to this
function.
Create a new DWORD (or Binary for Windows 98) value named "NoWindowsUpdate" and
set the new value to equal "1".
Settings: | User Key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] | System Key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] | Name:
NoWindowsUpdate | Type: REG_DWORD
(DWORD Value) | Value: (0 =
default, 1 = disabled)
|
4. Manage System Policy Updates (Windows
NT/2000/XP)
Windows normally makes
a connection to the NETLOGON share of the validating domain controller and
checks for the existence of the policy file. These settings control how system
policies are applied to a Windows machine when on a network.
Value |
Type |
Value |
UpdateMode |
REG_DWORD |
Disabled=0, Automatic=1 or Manual=2 |
NetworkPath |
REG_SZ |
UNC path for manual updates |
Verbose |
REG_DWORD |
Off = 0 or On = 1 |
LoadBalance |
REG_DWORD |
Off = 0 or On = 1 |
Settings: | System Key:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Update] | Name:
UpdateMode, NetworkPath, Verbose, LoadBalance
|
5. Restrict Applications Users Can
Run (All
Windows)
Windows gives the
ability to restrict the applications that can be run by users on a
workstation.
Create a new DWORD value and name it "RestrictRun" set the value to "1" to
enable application restrictions or "0" to allow all applications to run.
Then create a new sub-key called
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Policies\Explorer\RestrictRun] and define the applications that are allowed.
Creating a new string value for each application, named as consecutive numbers,
and setting the value to the filename to be allowed (e.g. "notepad.exe").
Settings: | User Key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] | System Key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] | Name:
RestrictRun
| Value: (0 =
default, 1 = disabled) |
6. Change Alternate Installation Credential
Settings (Windows
2000/XP)
These settings control
whether users are prompted to enter alternate logon credentials when installing
software as a non administrative user.
Open your registry and find the key below.
Create new DWORD values according to the options below.
NoRunasInstallPrompt
"1" - Disable alternate credentials option
"0" (Default) - Request alternate credentials
PromptRunasInstallNetPath
"1" - Request alternate credentails when installing from a network share.
"0" (Default) - Disable alternate credentials option Settings: | User Key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] | System Key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] | Name:
NoRunasInstallPrompt, PromptRunasInstallNetPath
| Type: REG_DWORD
(DWORD Value)
| Value: (0 =
default, 1 = enable) |
7. Restrict Changes to User Folder
Locations (Windows
2000/Me/XP) These restrictions
disable the ability for users to change the location of user-specific folders
such as My Documents, My Pictures, My Music and Favorites. For each folder create a new DWORD value from the list below and set it to
equal "1" to restrict changes or "0" to allow them.
- DisablePersonalDirChange - Restrict changes to My Documents
- DisableMyPicturesDirChange - Restrict changes to My Pictures
- DisableMyMusicDirChange - Restrict changes to My Music
- DisableFavoritesDirChange - Restrict changes to Favorites
Settings: | User Key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] | System Key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] | Name:
DisablePersonalDirChange, DisableMyPicturesDirChange, DisableMyMusicDirChange,
DisableFavoritesDirChange | Type: REG_DWORD
(DWORD Value) | Value: (0 =
allow changes, 1 = restrict changes) |
8. Disable User Profiles (Windows
95/98/Me) |
This setting can be
used to disable the use of user profiles.
Create a new DWORD value, or modify the existing value, named "UserProfiles" and
set it to equal "0" to disable user profiles.
Settings: | System Key:
[HKEY_LOCAL_MACHINE\Network\Logon]
| Name:
UserProfiles | Type: REG_DWORD
(DWORD Value) | Value: (0 =
disabled, 1 = enabled)
|
9. Implement a User Based Custom
Shell (Windows
2000/XP)
Windows allows you to
selectively specify the system shell based on the logged in user. For example
this allows one user to use the standard explorer interface and another to use
the legacy progman shell.
Create a new String value, or modify the existing value called 'Shell' using the
settings below.
Settings: | User Key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] | System Key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] | Name:
Shell | Type: REG_SZ
(String Value) | Value: Filename
of Replacement Shell |
10. Disable Run Commands Specified in the
Registry (Windows
98/Me/2000/XP/Vista/Window 7)
This restriction is
used to disable the ability to run startup programs specified in the registry
when Windows launches.
Create a new DWORD value for each of the optional values below depending on
which Run function to stop and set the value to "1" to disable.
Settings: | User Key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] | System Key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] | Name:
DisableLocalMachineRun, DisableLocalMachineRunOnce, DisableCurrentUserRun,
DisableCurrentUserRunOnce | Type: REG_DWORD
(DWORD Value) | Value: (0 =
enable run, 1 = disable run) |
11. Restrict Users from Running Specific
Applications (Windows
2000/Me/XP/Vista/Window 7)
This setting allows
you to specify applications and filenames that users are restricted from
running.
Open your registry and find the key
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer]
Create a new DWORD value and name it "DisallowRun" set the value to "1" to
enable application restrictions or "0" to allow all applications to run.
Then create a new sub-key called
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Policies\Explorer\DisallowRun] and define the applications the are to be
restricted. Creating a new string value for each application, named as
consecutive numbers, and setting the value to the filename to be restriced (e.g.
"regedit.exe").
Settings: | User Key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] | System Key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] | Name:
DisallowRun |
|