Registry Keys

This is an annotated guide to registry keys that are useful for restricting users. Only some of these can be set using the standard MS poledit templates. The keys can be used to restrict the users to specific settings. The value 1 turns on the restriction, and 0 turns it off. Settings marked (pol:user/...) are on the standard poledit template. Following pol:user/ is the path for setting the key using the policy editor. Pol:user indicates that it can be changed for each user, while Pol:computr indicates it is modified systemwide. More details can be found by searching on the web for the name and the word windows.

One of the ways to prevent user access to specific files is to make them hidden, and then prevent users from being able to turn on the ability to view them. The most restrictive setting is to only allow users to run specific programs. By hiding folders users will not normally be able to change anything in those folders. Ultimately high security can only be achieved by using a program such as E-Safe which restricts users from running or accessing specific programs or areas of the hard drives. In addition it is necessary to turn off most context menus so that users can not change an icon so that it will run a forbidden program. This is also useful when you have a standard Start Menu which is shared by several users. You do not want users to be able to change that menu. Certain programs need to be well hidden or removed from the system. These are notepad and poledit. Note that access to any word processing software may allow users to unprotect files and edit them, unless you have a commercial program that prevents access.

While many keys can be modified using the system policy editor, some keys such as the ones which turn off the ability to modify the Start menu must be edited manually, or you can use the template registry editing file that I have provided. This information is from a variety of sources. I have tested most of the non policy editor keys, but they are not guaranteed to all work. The ones I have tested are marked OK. Most of these are available in TEMPLATE.ZIP as a Windows policy template. This policy template also has the ability to hide specific drives and combinations of drives from A to E.

The following keys are all located in:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion]
"NoClose"=dwprd:00000001 Prevent user from shutting down the machine (pol:user/user/System/Shell/Restrictions/Disable Shut Down).

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000000 Hides files that are marked hidden or system (00000001 makes them visible, 00000002 makes system only files visible) OK
"HideFileExt"=dword:00000001 Hides file extensions so they can not be changed by users (00000000 makes them visible) OK

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

"NoStartBanner"=hex:01,00,00,00 Hide the arrow and Click here to Begin on taskbar. This is just a nuisance item
"ClassicShell"=dword:00000001 Restricts the user to using the classic desktop only OK
"NoFavoritesMenu"=dword:00000001 Removes the favorites menu from Start OK
"NoRecentDocsMenu"=dword:00000001 Removes the recent documents menu from Start OK
"NoFolderOptions"=dword:00000001 Prevents changes in the View Menu in Explorer. This prevents users from enabling viewing hidden files. OK
"NoWindowsUpdate"=dword:00000001 Removes the windows update icon from Start (pol:user/Windows System/Windows Update/Disable Windows Update)
"NoChangeStartMenu"=dword:00000001 Prevents changes to the Start Menu OK
"NoViewContextMenu"=dword:00000001 Removes the ability to right click on the folders in Start OK
"NoTrayContextMenu"=dword:00000001 Prevents changes to the tray. Prevents right clicking on the tray OK
"NoFileMenu"=dword:00000001 Removes the explorer icon from the Start Menu
"NoDriveTypeAutorun"=bin:20 00 00 00 Prevents users from autorunning a program by inserting a disk into a drive
"NoPrinterTabs"=dword:00000001 Prevents users from changing printer options (pol:user/System/Control Panel/Printers)
"NoDeletePrinter"=dword:00000001 Prevents users from removing printers (pol:user/System/Control Panel/Printers)
"NoAddPrinter"=dword:00000001 Prevents users from adding printers (pol:user/System/Control Panel/Printers)
"NoStartMenuSubFolders"=dword:00000001 Hide folders at the top section of the Start Menu (pol:user/System/Shell/Custom Folders)
"NoSetActiveDesktop"=dword:00000001 Prevents users from changing active desktop settings OK
"NoWinKeys"=dword:00000001 Prevents Windows hot keys from working
"NoRun"=dword:00000001 Removes the Run icon from the Start Menu (pol:user/System/Shell/Restictions)
"NoSetFolders"=dword:00000001 Removes Control Panel and Printers Folders from the settings menu. (pol:user/System/Shell/Restictions)
"NoSetTaskbar"=dword:00000001 Remove the Taskbar option form Settings on Start Menu (pol:user/System/Shell/Restictions)
"NoFind"=dword:00000001 Removes the Find option from explorer and from the Start Menu (pol:user/System/Shell/Restictions)
"NoNetHood"=dword:00000001 Remove the network neighborhood icon from the desktop (pol:user/System/Shell/Restictions)
"NoDesktop"=dword:00000001 Removes the desktop. Users see only a blank page (pol:user/System/Shell/Restictions)
"NoSaveSettings"=dword:00000001 Prevents programs from making changes to the registry settings when the user logs off (pol:user/System/Shell/Restictions)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun]

This is available (pol:user/System/Restriction/Only run...)
This contains a list of program names that users are allowed to run. Some samples are shown below:
"1"="iexplore.exe"
"2"="calc.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispCPL"=dword:00000001 Prevent user from changing display settings (pol:user/System/Control Panel/Display)
"NoDispBackgroundPage"=dword:00000001 Prevent user from changing background (pol:user/System/Control Panel/Display)
"NoDispScrSavPage"=dword:00000001 Prevent user from changing screen saver (pol:user/System/Control Panel/Display)
"NoDispAppearancePage"=dword:00000001 Prevent user from changing screen appearance (pol:user/System/Control Panel/Display)
"NoDispSettingsPage"=dword:00000001 Hides Setting page on display properties menu (pol:user/System/Control Panel/Display)
"NoSecCPL"=dword:00000001 Prevents access to passwords icon on the control panel (pol:user/System/Control Panel/Passwords)
"NoPwdPage"=dword:00000001 Prevent users from changing passwords (pol:user/System/Control Panel/Passwords)
"NoAdminPage"=dword:00000001 Prevent users from changing remote administration settings (pol:user/System/Control Panel/Passwords)
"NoProfilePage"=dword:00000001 Prevent access to page that selects shared or separate profiles (pol:user/System/Control Panel/Passwords)
"NoDevMgrPage"=dword:00000001 Prevent access to device manager menu (pol:user/System/Control Panel/System)
"NoConfigPage"=dword:00000001 Hide hardware profiles from system icon on control panel (pol:user/System/Control Panel/System)
"NoFileSysPage"=dword:00000001 Hides file system button on system icon on control panel (pol:user/System/Control Panel/System)
"NoVirtMemPage"=dword:00000001 Hides the virtual memory settings (pol:user/System/Control Panel/System)
"DisableRegistryTools"=dword:00000001 Prevent users from using Regedit or Regedit32 to change registry. It does NOT disable poledit (pol:user/ System/Restrictions).

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network]
"DisableFileSharingControl"=dword:00000001 Prevents users from changing file sharing(pol:user/Network/Sharing)
"DisablePrintSharingControl"=dword:00000001 Prevents access to printer sharing controls (pol:user/Network/Sharing)
"NoNetSetup"=dword:00000001 Prevents access to network control pane icon (pol:user/System/Control Panel/Network)
"NoNetSetupIDPage"=dword:00000001 Prevents access to nework ID values (pol:user/System/Control Panel/Network)
"NoNetSetupSecurityPage"=dword:00000001 Removes access to the access control page (pol:user/System/Control Panel/Network)
"NoEntireNetwork"=dword:00000001 Prevents users to see all workgroups and domains on network. Users can see only their own group (pol:user/System/Shell/Restictions)
"NoWorkgroupContents"=dword:00000001 Prevents workgroup contents from being displayed in network neighborhood (pol:user/System/Shell/Restictions)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp]
"NoRealMode"=dword:00000001 Prevents users from running older DOS programs that can bypass windows (pol:user/ System/Restrictions/single-mode).
"Disabled"=dword:000000001 Disable all MS-DOS programs (pol:user/ System/Restrictions/MS-DOS prompt).

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions]
"NoAddingSubScriptions"=dword:00000001 Prevents users from adding subscriptions to Internet Explorer

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions] disables for individual users or
[HKEY_CURRENT_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions] disables for all users

"NoToolBarCustomize"=dword:00000001 Disables right click on tool bar OK
"NoBandCustomize"=dword:00000001 No Toolbar change or hide OK
"NoFavorites"=dword:00000001 No favorites menu. Students can not add pages to their favories OK
"NoFileOpen"=dword:00000001 IE can not be used to open local files disable file/open command OK
"NoFileNew"=dword:00000001 IE can not create new files, disable file/new command Disables CTRL+N OK
"NoFindFiles"=dword:00000001 Disable find files command, Disables F3 key OK
"NoFileURL"=dword:00000001 Disable browsing of local files file:\\...
"NoBrowserSaveAs"=dword:00000001 IE can not save downloaded files OK
"NoBrowserClose"=dword:00000000 Prevents users from closing IE by alt+F4 OK
"NoBrowserContextMenu"=dword:00000001 Prevents users from right clicking on items to change them OK
"NoTheaterMode"=dword:00000000 This one does not need to be restricted unless you want to prevent full screen usage
"NoViewSource"=dword:00000001 This prevents users from looking at the HTML source code or editing files OK
"NoSelectDownloadDir"=dword:00000001 Users can not select a location to download files
"NoBrowserOptions"=dword:00000001 Users can not change IE options. They can not change security settings. If you restrict them from viewing certain sites, or being able to download files, this will prevent users from changing these settings. OK
"NoNavButtons"=dword:00000001 Disable forward and backward buttons
"NoPrinting"==dword:00000001 Remove Print from the file menu
"NoToolbarOptions"=dword:00000001 Prevents users from changing toolbars in Explorer OK

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"GeneralTab"=dword:00000001 Remove General tab from internet options OK
"Homepage"=dword:00000001 Remove Homepage option from General tab OK
"Settings"=dword:00000001 Remove Settings... tab OK
"History"=dword:00000001 Remove Clear History button on General tab OK
"Accessibility"=dword:00000001 Disable accessibility options on General tab OK
"Colors"=dword:00000001 Prevent user from changing colors OK
"Fonts"=dword:00000001 Prevent user from changing fonts OK
"Languages"=dword:00000001 Prevent user from changing languages OK
"SecurityTab"=dword:00000001 Remove Security tab from internet options OK
"SecAddSites"=dword:00000001 prevents users from adding sites to any zone OK
"SecChangeSettings"=dword:00000001 prevents users from changing security settings OK
"ContentTab"=dword:00000001 Remove content tab from internet options OK
"Profiles"=dword:00000001 Locks profiles settings OK
"Certificates"=dword:00000001 Remove Certificates... button from Content tab OK
"Ratings"=dword:00000001 Locks ratings setting OK
"Wallet"=dword:00000001 Locks MS Wallet settings
"ResetWebSettings"=dword:00000001 disables the reset web settings button OK
"ConnectionsTab"=dword:00000001 Removes connections tab OK
"Connwiz Admin Lock"=dword:00000001 Locks out Connection Wizard OK
"Connection Settings"=dword:00000001 Restrict connection settings OK
"ProgramsTab"=dword:00000001 Removes programs tab OK
"Messaging"=dword:00000001 Restrict MS messaging settings
"CalendarContact"=dword:00000001 Prevent users from changing Calendar/contact on Programs tab
"Check_If_Default"=dword:00000001 Restrict Check if Default Browser on Programs tab
"AdvancedTab"=dword:00000001 Restrict access to advanced tab. OK

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Toolbars]

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions]
"NoAddressBar"=dword:00000001 Address bar is disabled so students can not type in URL or local hard drive address ? OK
"NoToolBar"=dword:00000001 Disable the ToolBar OK
"NoLinkBar"=dword:00000001 Disables the links bar OK