Microsoft KB Archive/198771

= How to Lock Down Windows NT and Internet Explorer 4.01 Desktop =

Article ID: 198771

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Internet Explorer 4.01 Service Pack 1
 * Microsoft Windows NT Workstation 4.0 Developer Edition

-



This article was previously published under Q198771



SUMMARY
Windows NT security makes it possible to lock down a desktop so a given user has access to only one or a few specific programs. On a public kiosk computer, it is often important that user access be restricted. This article explains the steps that need to be taken to implement this.
 * 1) Create a text file named Lockout.reg. You can cut and paste the following text:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoDriveTypeAutoRun"=dword:00000095

"NoFind"=dword:00000001

"NoFolderOptions"=dword:00000001

"NoFavoritesMenu"=dword:00000001

"NoRecentDocsMenu"=dword:00000001

"NoSetActiveDesktop"=dword:00000001

"NoDesktop"=dword:00000001

"NoSetFolders"=dword:00000001

"NoSetTaskbar"=dword:00000001

"NoSaveSettings"=dword:00000001

"NoClose"=dword:00000001

"NoNetHood"=dword:00000001

"NoRun"=dword:00000001

"NoDrives"=dword:00000000

"NoTrayContextMenu"=dword:00000001

"NoViewContextMenu"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableLockWorkstation"=dword:00000001

"DisableTaskMgr"=dword:00000001

"DisableChangePassword"=dword:00000001
 * 1) Determine what drives you want the user to be able to access, and then change the value of the "NoDrives" line accordingly. For example:

To give access to only drive C -> "NoDrives"=dword:fbffff03

To give access to drives C and D -> "NoDrives"=dword:f3ffff03

To give access to drives A to F -> "NoDrives"=dword:c0ffff03
 * 1) Determine if you want a compact disc to start automatically when you place it in the CD-ROM drive. If you do not want this to happen, change the "NoDriveTypeAutoRun" to:

"NoDriveTypeAutoRun"=dword:b5000000
 * 1) Determine if you want to enable the user to log off or to shut down the computer. You can disable these by adding one or both of these two lines:

"NoClose"=dword:00000001

"NoLogoff"=dword:00000001
 * 1) Create a new user with User Manager. Set up the menu structure that you want the user to see. This can be done by adding and removing short cuts from the  \Profiles\%USERNAME% and the  \Profiles\All Users folders. For example:

C:\WINNT\Profiles\NewUser and C:\WINNT\Profiles\All Users.
 * 1) Log on as the new user and set up the environment (screen savers, background, and so on).
 * 2) Find the file you created in the steps above and double-click it.
 * 3) Log back on as the user. You will notice that the desktop is empty and the start menu only has the shortcuts that you configured in step 4. As stated in article 182439 "How to Disable Start\Help," it is impossible to remove the help item from the start menu. You can disable this by creating a text file named Windows.hlp and copying it over the existing file in the  \System32 folder.



MORE INFORMATION
Here is a description of the items discussed above:

 Item               Description --- NoDriveTypeAutoRun Prevents CD-ROM drive from running automatically. NoFind             Removes Find command from Start menu. NoFolderOptions    Removes the Folder Options menu item from the Settings menu. NoFavoritesMenu    Removes the Favorites folder from the Start menu. NoRecentDocsMenu   Removes the Documents command from the Start menu. NoSetActiveDesktop Remove the Active Desktop item from the Settings menu. NoDesktop          Hide all items on desktop. NoSetFolders       Remove folders from Settings/Start menu. NoSetTaskbar       Remove Taskbar from Settings/Start menu. NoSaveSettings     Does not save settings at exit. NoClose            Disables Shut Down command. NoNetHood          Hides Network Neighborhood. NoRun              Removes Run command from Start menu NoDrives           Hides drives in My Computer. NoTrayContextMenu  Removes context menus for tray including the Start button, tab control, and clock. NoViewContextMenu  Removes the context menu when you right-click the desktop, or when you right-click Explorer in the results pane. NOTE: NoRecentDocsMenu and NoRecentDocsHistory requires Active Desktop to be installed; otherwise they do not work.

For additional information about determining the NoDrives availibility mentioned above, please see the following article in the Microsoft Knowledge Base:

158457 Defining Local and Remote Drive Visibility Under WinNT 4.0

Keywords: kbinfo KB198771

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.