Gethistuff!!!: SYSTEM RESTRICTIONS

You can control the way your Windows 9x/NT4/2000/ME/XP/2003/Vista/2008/7 system and MS Internet Explorer [unfortunately integrated into the OS :(] restricts/allows access to certain areas or features (especially useful on multiuser machines) without having to mess with PolEdit (Policy Editor = %windir%\Poledit.exe), the default Windows 9x/ME administrative control tool, which needs to be installed separately from your Win9x Setup CD.

And the bad news is Microsoft removed PolEdit from Windows ME anyway. ;)

See "The Registry" [Intro chapter], also in REGISTRY.TXT [part of W95-11D.EXE], for more info.

Windows 2000/XP/2003 users have a greater variety of administrative tools at their disposal, designed for tweaking mostly system + security policies, all part of the free Microsoft Resource Kit (RK) Tools.

FYI: Some of these security issues are detailed @ Microsoft:

Windows 2000/XP/2003: Group Policy Registry Table.
Internet Explorer: Limit User Access to Local Computer or Hard Disks.
Windows XP: Policy Settings for Start Menu.

All you have to do is modify the Registry Values listed below, either manually using the Registry Editor (%windir%\Regedit.exe), or save them as text .REG files (in Notepad) for future use, eventually on more than one computer. I named mine RESTRICT.REG (example).

Without further ado, start Regedit and go to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies

Look in the left hand pane for these subkeys: Explorer, Network, Ratings, System, ActiveDesktop + WinOldApp. If they are not present, create them: right-click → New → Key → Name it to one of the values listed above.

Now you need to create (or modify if already there) the following DWORD [REG_DWORD] values listed further below under the subkeys above. To create a new DWORD value: right-click → New → DWORD → name it to one of the values listed further below.

To modify one of these DWORD values: right-click on the one you want → select Modify → check the Decimal box → give it a value of 1 (to disable access to a certain system feature/area), or a value of 0 (to enable access to a certain system feature/area).

These are the valid DWORD values (if not specified otherwise) you can change under the following subkeys:

Explorer subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

ClearRecentDocsOnExit = enable/disable Clear of Recent Documents upon exit
DisableRegistryTools = enable/disable Registry Editing tools
WARNING: IF you disable the Registry Editor interface (GUI) mode, you will NOT be able to modify ANY Registry settings anymore, and the ONLY way to (re)enable/disable system restrictions is to run/merge/register/install a .REG/.INF/.VBS/.HTA file from the DOS console/box command line or by running a BATch file (.BAT in Win95/98/ME or .CMD in WinNT4/2000/XP/2003/Vista/2008/7)!
ForceClassicControlPanel = enable/disable Classic Control Panel (WinXP/2003 ONLY)
ForceStartMenuLogOff = enable/disable forced Start Menu Logoff item
NoAddPrinter = enable/disable addition of new printers
NoCDBurning = enable/disable built-in CD burning feature (WinXP ONLY)
NoClose = enable/disable computer Shutdown
NoDeletePrinter = enable/disable existent printers deletion
NoDesktop = enable/disable ALL Desktop items and Desktop right-click menu
NoDesktopCleanupWizard = enable/disable Cleanup Wizard (WinXP/2003 ONLY)
NoDevMgrUpdate = enable/disable Windows 98/ME Web Update Manager
NoDrives [hex] = enable/disable ANY Drives in My Computer/Explorer/IE
CAUTION: See "HIDE YOUR DRIVES!" for details!
NoFileAssociate = enable/disable default File Associations (WinXP/2003 ONLY)
NoFind = enable/disable Find command
NoInternetIcon = enable/disable Internet Icon on Desktop
NoLogoff = enable/disable computer Logoff (Win95/98 ONLY)
NoLowDiskSpaceChecks = enable/disable low disk space warnings (Win2000/XP ONLY)
NoNetHood = enable/disable Network Neighborhood
NoRecentDocsHistory = enable/disable Recent Documents in Start Menu (Win98/ME + IE4/IE5/IE6 ONLY)
NoRun = enable/disable Run command
NoSaveSettings = enable/disable Save Settings upon exit
NoSetFolders = enable/disable Folders in Start Menu → Settings
NoSetTaskbar = enable/disable Taskbar in Start Menu → Settings
NoSMMyDocs = enable/disable My Documents folder in Start Menu (Win98/ME ONLY)
NoSMMyPictures = enable/disable My Pictures folder in Start Menu (Win98/ME ONLY)

"NoSMMyDocs" + "NoSMMyPictures" courtesy of David.
NoStrCmpLogical = enable/disable listing/ordering of files/folders names alphabetically (WinXP/2003/Vista/2008 ONLY)

More info.
NoThemesTab = enable/disable Themes Display tab (WinME/2000/XP ONLY)
NoWindowsUpdate = enable/disable Windows 98/2000/ME/XP Web Update
StartMenuLogoff = enable/disable Start Menu Logoff item (WinME/2000/XP ONLY)

System subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

DisableStatusMessages = enable/disable system Status Messages at logon/logoff (Win2000/XP/2003 ONLY)
DisableTaskMgr = enable/disable Task Manager (Win2000/XP/2003 ONLY)
DontDisplayLastUserName = enable/disable Last User Name display at logon (Win2000/XP/2003 ONLY)
EnableLUA = enable/disable User Account Control (UAC) (WinVista/2008/7 ONLY)

More info:

LegalNoticeCaption = enable/disable Legal Notice Caption display before logon (Win2000/XP/2003 ONLY)
LegalNoticeText = enable/disable Legal Notice Text display before logon (Win2000/XP/2003 ONLY)
NoAdminPage = enable/disable Remote Administration tab
NoConfigPage = enable/disable Hardware Profiles tab
NoControlPanel [hex] = enable/disable Control Panel
NoDevMgrPage = enable/disable Device Manager tab
NoDispAppearancePage = enable/disable Appearance Display tab
NoDispBackgroundPage = enable/disable Background Display tab
NoDispCPL = enable/disable Display Properties applet
NoDispScrSavPage = enable/disable Screen Saver Display tab
NoDispSettingsPage = enable/disable Settings Display tab
NoFileSysPage = enable/disable File System button
NoInternetOpenWith = enable/disable online File Association Web Service (WinXP/2003 ONLY)
NoPwdPage = enable/disable Password Change tab
NoProfilePage = enable/disable User Profiles tab
NoSecCPL = enable/disable Password applet
NoVirtMemPage = enable/disable Virtual Memory button
ShutDownWithoutLogon = enable/disable Shutdown button at logon/logoff (Win2000/XP/2003 ONLY)
UndockWithoutLogon = enable/disable Undock Workstation button at logon/logoff (Win2000/XP/2003 ONLY)
VerboseStatus = enable/disable detailed system Status Messages at logon/logoff (Win2000/XP/2003 ONLY)

Network subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network

DisablePwdCaching = enable/disable Password Caching
HideSharePwds [hex] = enable/disable Shared Passwords
NoEntireNetwork = enable/disable Entire Network
NoNetSetup = enable/disable Network applet
NoNetSetupIDPage = enable/disable Network Identification tab
NoNetSetupSecurityPage = enable/disable Network Access tab
NoFileSharing = enable/disable Network File Sharing button
MinPwdLen = set Minimum Password Length (integer number: 0 - 99)
NoPrintSharing = enable/disable Network Print Sharing button
NoWorkgroupContents = enable/disable Network Workgroup

ActiveDesktop subkey (Win98/ME/2000/XP/2003 + IE4/IE5/IE6 ONLY):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

NoAddingComponents = enable/disable adding components to Active Desktop
NoChangingWallpaper = enable/disable changing of Active Desktop wallpaper
NoCloseDragDropBands = enable/disable closing of shell toolbars
NoClosingComponents = enable/disable closing of Active Desktop components
NoComponents = enable/disable ALL Desktop components
NoDeletingComponents = enable/disable deleting of Active Desktop components
NoEditingComponents = enable/disable editing of Active Desktop components
NoHTMLWallPaper = enable/disable Desktop HTML wallpaper display
NoMovingBands = enable/disable moving of shell toolbars

WinOldApp subkey (Win95/98/ME ONLY):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp

Disabled = enable/disable MS-DOS Prompt
NoRealMode = enable/disable Real MS-DOS Mode reboot option (Win95/98 ONLY)

Similar settings for Explorer, Network, System and ActiveDesktop can be also found under these Registry keys:

HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies

and:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

If there is only one user, the ".Default" key above contains all global system settings. If more than one user, each user has its own subkey here, named after the User Name(s) found in Control Panel → Users, and the Registry settings located under a user's subkey are valid only for that specific user.

If you (double-)click on any of these keys, you'll see 3 subkeys in the left hand pane: Explorer, Network and System.

Create (or modify if already present) the following Binary (hex) [REG_BINARY] values listed below under the subkeys above. To create a new Binary value: right-click → New → Binary → Name it to one of the values listed below.

To modify one of these Binary [hex] values: (double-)click on the one you want → give it a value of 01 00 00 00 (to disable access to a certain system feature/area), or a value of 00 00 00 00 (to enable access to a certain system feature/area). Don't type the spaces, they will be inserted automatically.

Explorer subkey valid DWORD values (if not specified otherwise) that can be changed (some are valid ONLY for Win98/ME and/or MS IE 4/5/6):

CDRAutoRun [hex] = enable/disable CD-R(W)/DVD-R(W) drive(s) AutoRun command
NOTE: This setting needs specific CD-R(W)/DVD-R(W) software installed, like Roxio (Adaptec) Easy CD Creator.
ChannelNotify = enable/disable Channel Notification (Win98/ME + IE4/IE5/IE6 ONLY)
ClassicShell [hex] = enable/disable Active Desktop shell interface (Win98/ME + IE4/IE5/IE6 ONLY)
FYI:

MSKB: Quick Launch Toolbar Icons Are Missing or Unavailable.
John Woram: Who Hid the IE5 Toolbars?

ClearRecentDocsOnExit = clear/don't clear Recent Docs upon exit
EditLevel = set security editing level. Integer number: 0, 1, 2, 3 or 4: 0 = lowest security level (full editing allowed)... 4 = highest security level (no editing allowed)
CAUTION: You may lock yourself out of your own computer if EditLevel = 4 !
EnforceShellExtensionSecurity = self explanatory :)
ForceCopyACLWithFile = enable/disable file copy with NTFS permissions (WinNT4/2000/XP + IE4/IE5/IE6 ONLY)
IgnoreLinkInfo = enable/disable Link info display
LinkResolve = enable/disable Link display
MyDocsOnNet = enable/disable My Documents on Internet
NoActiveDesktop = enable/disable Active Desktop
NoActiveDesktopChanges = enable/disable Active Desktop changes
NoAddPrinter = enable/disable addition of new printers
NoChangeStartMenu = enable/disable Start Menu changes
NoCommonGroups = enable/disable Start Menu Common Program Groups (WinNT4/2000/XP + IE4/IE5/IE6 ONLY)
NoClose = enable/disable closing IE GUI
NoCustomizeWebView = enable/disable Web View customization
NoDeletePrinter = enable/disable existent printers deletion
NoDeskTop = enable/disable ALL Desktop items and Desktop right-click menu
NoDevMgrUpdate = enable/disable Windows Web Update Manager (Win98/ME/2000/XP ONLY)
NoDrives [hex] = enable/disable ALL Drives in My Computer/Explorer/IE
CAUTION: See "HIDE YOUR DRIVES!" for details!
NoDriveTypeAutoRun [hex] = enable/disable selected Drives or Drive types AutoRun/AutoPlay
NOTE: See "HIDE YOUR DRIVES!" for details.
NoEditMenu = enable/disable Start Menu editing
NoFavoritesMenu = enable/disable Favorites folder display
NoFileMenu = enable/disable Explorer/IE File Menu
NoFileUrl = enable/disable local URL files access
NoFind = enable/disable Find command
NoFolderOptions = show/don't show Folder Options Menu in Explorer
NoForgetSoftwareUpdate = enable/disable Windows Software Updates (Win98/ME/2000/XP/2003 ONLY)
NoHelp = show/don't show Help Menu in Start Menu (Win98/ME/2000 ONLY)
NoInternetIcon = show/don't show Internet icon on Desktop
NoLogOff = show/don't show Logoff Menu in Start Menu (Win95/98 ONLY)
NoMSAppLogo = show/don't show Microsoft Logo (Win98/ME/2000/XP ONLY)
NoNetConnectDisconnect = enable/disable DUN Connect/Disconnect
NoNetHood = enable/disable Network Neighborhood
NoRecentDocsHistory = enable/disable Recent Documents in Start Menu (Win98/ME + IE4/IE5/IE6 ONLY)
NoRecentDocsMenu = show/don't show Recent Documents Menu in Start Menu → Settings
NoResolveSearch = enable/disable Internet Search (Win98/ME + IE4/IE5/IE6 ONLY)
NoResolveTrack = enable/disable Internet Address Tracking (Win98/ME + IE4/IE5/IE6 ONLY)
NoRun = enable/disable Run command
NoSaveSettings [hex] = enable/disable Save Settings upon exit
NoSetActiveDesktop = enable/disable Active Desktop settings
NoSetFolders = enable/disable Folder settings
NoSetTaskbar = enable/disable Taskbar settings
NoSettingsWizards = enable/disable Settings Wizards (Win98/ME + IE4/IE5/IE6 ONLY)
NoSMHelp = show/don't show Help Menu in Start Menu (WinXP/2003 ONLY)
NoStartBanner [hex] = enable/disable Logo banner upon IE start
NoStartMenuSubFolders = show/don't show subfolders on Start Menu
NoTrayContextMenu = show/don't show Context Menu for Tray items
NoViewContextMenu = show/don't show Context Menu
NoWebMenu = show/don't show Web Menu (Win98/IE 4.0x and newer ONLY)
NoWindowsUpdate = enable/disable Windows Web Update (Win98/ME/2000/XP ONLY)
NoWinKeys = enable/disable Windows (Win + Menu) logo keys on 104+ keyboards

See "WINKEY SHORTCUTS" for details.
RestrictRun = enable/disable Run Menu

Most of the "CURRENT_USER" settings, especially the ones that affect the entire system, change automatically when you modify the similar values under the "LOCAL_MACHINE" Registry key (see above). Most of these values affect ONLY Internet Explorer versions 3, 4, 5 and 6, and CAN be changed separately in the "CURRENT_USER" key, without influencing the overall system operation.

ANY changes to these settings under ANY of these Registry keys require a Windows restart to take effect.

The MS Internet Explorer 4.0x/5.xx/6.xx restrictions are found under these Registry keys:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions

and:

HKEY_USERS\.Default\Software\Policies\Microsoft\Internet Explorer\Restrictions

if there is only one user. If more than one user, the ".Default" key above is replaced with each "UserName" key. All Values are in DWORD format. Type in the Decimal box for the desired Value: 1 to disable or 0 to enable the respective function/key combo:

NoBrowserContextMenu = enable/disable HTML context menu
NoBrowserClose = enable/disable Close/Exit in File Menu and Alt+F4
NoBrowserSaveAs = enable/disable Save and Save As in File menu
NoBrowserOptions = enable/disable Internet Options/Properties in View menu
NoFavorites = enable/disable Favorites in File Menu and Alt+A
NoFileOpen = enable/disable Open in File menu, Ctrl+O and Ctrl+L
NoFileNew = enable/disable New in File Menu and Ctrl+N
NoFileUrl = enable/disable local URL files access
NoFindFiles = enable/disable Find Menu and F3
NoSelectDownloadDir = enable/disable Save As dialog box upon file download
NoTheaterMode = enable/disable Full Screen (kiosk mode) and F11

The Internet Properties restrictions for MS Internet Explorer 4.0x/5.xx/6.xx (also found as a Control Panel applet) are located under this Registry key:

HKEY_USERS\.Default\Software\Policies\Microsoft\Internet Explorer\Control Panel

Changing ANY of these settings does NOT require restarting Windows:

Accessibility = enable/disable Accessibility settings
Advanced = enable/disable Advanced settings
AdvancedTab = enable/disable Advanced tab
Autoconfig = enable/disable Autoconfig settings
Cache = enable/disable Cache settings
CalendarContact = enable/disable Contact settings
Check_If_Default = enable/disable Check if IE default browser setting
Connection Settings = pretty obvious :)
Certificates = enable/disable Certificates settings
CertifPers = enable/disable Personal Certificates settings
CertifSite = enable/disable Certificates Publishers settings
Colors = enable/disable Colors settings
Connection Wizard = self explanatory :)
ConnectionsTab = enable/disable Connections tab
Connwiz Admin Lock = enable/disable Connection Wizard administrative lockout
ContentTab = enable/disable Content tab
Fonts = enable/disable Fonts settings
FormSuggest = enable/disable Forms suggest setting
FormSuggest Passwords = enable/disable Passwords suggest setting
GeneralTab = enable/disable General tab
History = enable/disable History settings
HomePage = enable/disable Home Page settings
Languages = enable/disable Languages settings
Links = enable/disable Links settings
Messaging = enable/disable MS Messaging settings
Profiles = enable/disable Profiles settings
ProgramsTab = enable/disable Programs tab
Proxy = enable/disable Proxy settings
Ratings = enable/disable Ratings settings
ResetWebSettings = enable/disable Reset Web settings
SecAddSites = enable/disable Security Add sites settings
SecChangeSettings = enable/disable Security changes
SecurityTab = enable/disable Security tab
Settings = enable/disable Settings boxes
Wallet = enable/disable MS Wallet settings (MS IE 5.xx and newer ONLY)

The policy restrictions for MS Net Meeting/Conferencing reside under this Registry key:

HKEY_USERS\.Default\Software\Policies\Microsoft\Conferencing

if there is only one user. If more than one user, the ".Default" key above is replaced with each "UserName" key. All Values are in DWORD format. Type in the Decimal box for the desired Value:1 to disable or 0 to enable the respective restriction.

Changing ANY of these settings does NOT require restarting Windows:

CallSecurity = enable/disable call security
IntranetWebDirURL = enable/disable intranet web directory
MaximumBandwidth = enable/disable max bandwidth
NoAddingDirectoryServers = enable/disable adding directory servers
NoAdvancedCalling = enable/disable advanced calling
NoAllowControl = enable/disable control
NoAppSharing = enable/disable app sharing
NoAudio = enable/disable audio
NoAudioPage = enable/disable audio control
NoChangeDirectSound = enable/disable changing DirectSound
NoChat = obvious :)
NoDirectoryServices = enable/disable directory services
NoFullDuplex = enable/disable full duplex
NoGeneralPage = enable/disable general control
NoNewWhiteBoard = enable/disable new white board
NoOldWhiteBoard = enable/disable old white board
NoReceivingVideo = enable/disable receive video
NoSecurityPage = enable/disable security control
NoSendingFiles = enable/disable send files
NoSendingVideo = enable/disable send video
NoSharing = enable/disable sharing
NoSharingDesktop = enable/disable sharing Desktop
NoSharingDosWindows = enable/disable sharing DOS + Windows
NoSharingExplorer = enable/disable sharing Explorer
NoTrueColorSharing = enable/disable sharing true color video
NoVideoPage = enable/disable video control
NoWebDirectory = enable/disable web directory
Use AutoConfig = enable/disable auto config

MS IE 4.0x/5.xx/6.xx Web Check tool (%windir%\System\Loadwc.exe launched by %windir%\System\Webcheck.dll) Registry Values are stored under:

HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Webcheck

if only one user. If more than one user, the ".Default" key is replaced by each "UserName" key. Both Values are DWORDs. Decimal box values: 1(disables) and 0 (enables) each function.

Changes to these settings take effect without restarting Windows:

NoChannelLogging = enable/disable channels logging
NoScheduledUpdates = enable/disable scheduled updates

Gethistuff!!!

Saturday, 11 August 2012

SYSTEM RESTRICTIONS

No comments:

Post a Comment