JSI Tip 0215 - More on Locking down that desktop.

In Tip 050, Locking down that desktop, I first detailed Explorer restrictions that could be implemented via registry changes. Here a few more that I have found at: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. All are type REG_DWORD with a default value of 0.

EnforceShellExtensionSecurity - A value of 1 causes Windows NT to only load the shell extensions listed in the Approved subkey (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved).

NoDriveAutoRun - A bitmapped value (see NoDrives from Tip 050) that determines wether the autorun feature is disabled on that drive. If the drives bit is set to 1, autorun (see tip 007) is disabled.

NoSaveSettings - A value of 1 prevent changes to the positions of icons and open windows, and the size and position of the taskbar from being saved. Also set NoSetTaskbar.

NoStartBanner - A value of 1 hides the arrow and Click here to begin caption that appear on the taskbar when you start Windows NT.

NoStartMenuSubFolders - Hides the folders at the top section of the Start menu when the value is set to 1. Items appear, but folders are hidden.

A few more restrictions are located at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network:

NoWorkgroupContents - If the value of this entry is 1, Network Neighborhood does not display computers in the local workgroup or domain.

NoEntireNetwork - A value of 1 restricts Network Neighborhood from displaying or accessing computers outside the local workgroup or domain. The user can still use the Start/Run, Map/Connect Network Drive, and the Command Prompt.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.