Locking down a computer in Windows XP Professional
Do the following from within the Administrator profile
1) Install XP, add one user, Public User (PU), to Workgroup Registrar-Lab
2) Set up the BIOS password so that users can't modify the BIOS settings (often the "settings"
password").
3) Copy ieopen.exe into C:\
4) Add shortcuts to ieopen.exe and IExplore.exe (C:\Program Files\Internet Explorer) into the PU
startup menu: C:\Documents and Settings\Public User\Start Menu\Programs\Startup
5) Download Weblocker from www.weblocker.com and load the program onto the system.
6) Add a printer as necessary.
7) Run Regedit and add a new REG_DWORD value of 0 to the following:
HKEY_LOCAL_MACHINE\Software\Microsoft
a. \Windows\CurrentVersion\Explorer\Advanced---EnableBalloonTips
b. \Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList—Administrator
8) Go to My ComputerTools  Folder OptionsView and click the following:
a. Show hidden files and folders (check)
b. Hide protected operating system files (uncheck)
c. Use simple file sharing (uncheck)
9) Run MMC. Add the Snap-in "Group Policy". Save it as "public user". Right click on "local
computer policy"properties and check "disable computer configuration".
10) Go to My Computerc:\Windows\System32. Right click on "Group Policy", go to the
"properties" tab, then "security" and deny "read" access to "Administrator". Click on "add" and
type "public user" and allow full control. Click again on "Add" and add "users" and allow full
control.
11) Change the picture for the Public User icon if you want. Control PanelUser Accounts
12) Go to My ComputerDocuments and SettingsPublic User. Rename the file ntuser.dat to
"ntuser.man".
13) Set whatever network settings are necessary (ip address, etc).
14) Go to Control PanelPerformance and MaintenanceAdministrative ToolsComputer
ManagementLocal Users and GroupsUsersPublic User. Add Administrators and Users.
15) Go to Control PanelPerformance and MaintenanceSystemRemote.
a. Uncheck "allow remote assistance invitations"
b. Check "allow users to connect remotely"
Do the following from inside the PU profile:
1) Right click on the Start PropertiesStartMenuCustomizeAdvanced. Uncheck "Printers and
Faxes" and "List my most recently opened documents" to remove them from the Start Menu.
2) Go to Control PanelPerformance and MaintenancePower Options. Set "Turn Off monitor" to
2 hours and "Turn off hard disks" to 3 hours.
3) Go to My Computerc:\Windows\System32. Right click on Group PolicyProperties
SecurityAdvancedOwner. Highlight "public user", check the box that says "Replace owner
on subcontainers" and click OK.
4) Internet Explorer
a. You will have to register Weblocker to make the register screen go away
b. Assign the appropriate homepage in IE.
c. Right click on the tool bar and delete any icons you don't want to show (e-mail, printing,
search, folders, etc).
5) Open the MMC publicuser and "enable" the appropriate features (see attached sheet)
Go back to the Administrator's profile and do the following:
1) Run Regedit. Do a search only for "keys" and delete all references to "Outlook Express".
2) Deny permissions to specific folders by going into My Computer and right clicking on the
appropriate folderPropertiesSecuritypublic user :
a. Documents and SettingsPublic User--deny "write" access.
b. WindowsHelp—deny "full control"
3) Go to Control PanelPerformance and MaintenanceAdministrative ToolsComputer
ManagementLocal Users and GroupsUsersPublic User. Remove Administrators and add
Users.
4) Make sure that the public user can't change the password: Control PanelPerformance and
MaintenanceAdministrative Tools Computer ManagementLocal Users and GroupsUsers.
Double Click on the public user and check the box "user cannot change password".
When creating a 3rd user, not locked down as tight as the above profile, but on the same computer
1) Create a new group, for example "public users". All of the instructions above that refer to the
"users" groups, substitute "public users" insead. Delete public user from the "users" group and
put it instead into the "public users" group.
2) The third user, named, for example, Peoplesoft, will still go into the "users" profile. In the
administrators profile, create the following security settings by right clicking on the listed folders
and doing PropertiesSecurity. To each of these folders add the user "peoplesoft" and apply
these policies.
a. Program Files: allow only read
b. Windows: allow only read
c. Under Documents and Settings:
i. Administrator: deny full control
ii. Public User: deny full control
3) Make sure you create a password for this profile as necessary
4) If these profiles will be used cyclically and not concurrently, you can go into the Administrator's
profile and disable the non-used profile: Control PanelPerformance and
MaintenanceAdministrative Tools Computer ManagementLocal Users and GroupsUsers.
Double Click on the Profile to be disabled, then check the "Account is Disabled" box. You can
enable the profile again in this same way.
Changing Settings after the profile has been locked down:
1) You may simply need to go into My ComputerC:\WindowsSystem32. Right click on Group
PolicyPropertiesSecurity and check the box allowing write access to "Administrator". Make
the necessary changes to gpedit.msc, follow the same procedure above and check to box to deny
write access to "Administrator". If that doesn't work, do the following.
2) In the Administrator profile, go to Control PanelPerformance and MaintenanceAdministrative
ToolsComputer ManagementLocal Users and GroupsPublic UserMember Of, add
Administrators.
3) Go to My ComputerC:\WindowsSystem32. Right click on Group
PolicyPropertiesSecurityAdvancedOwner. Check the box that says "Replace owner on
subcontainers" and make Administrator the owner by highlighting Administrator and click on OK.
4) Run gpedit.msc, right click on Local Computer PolicyProperties and check "Disable User
Configuration settings.
5) Make any changes necessary in gpedit.msc and in the appropriate profile.
6) In Administrator, run gpedit.msc again and uncheck "Disable User Configuration settings".
7) In the Public User profile, take ownership of Group Policy using the same procedure in step 2.
Then deny "read" permissions for "Administrator". You may need to go to My
ComputerToolsFolder OptionsView and check "show hidden files" to see the folder.
8) In the Administrator profile, remove Administrators from the Public User profile as in step 1.
If this doesn't work appropriately (giving no access to the public user and full access to the administrator),
make sure you are giving it enough time. We were using Pentium IV with 256KB RAM and it would
sometimes take 5 minutes for the changes to propagate, even after logging in and out a couple of times. If
that fails, then check the following permissions by going to My ComputerC:\WindowsSystem32.
Right click on Group PolicyPropertiesSecurity. You will probably have to "add" them back into the
security as taking ownership deletes them.
Administrator: allow write, deny read
Public user: full control
Users: full control
It is often useful to leave the "run" command available for use on the start menu in case you lock the
system down and are not able to get back into gpedit.msc. In this case, after the system is completely
locked down and tested, you can go back in and take out the run command as the final step in setting up
your system. It might also be useful to put a shortcut to the "system32" folder and the "gpedit.msc" file
on the desktop of the administrator.
If you get to a place where you are not able to make changes to gpedit.msc from the administrator and you
can't get into gpedit.msc from the public user, go into administrator and create a new user with
administrator privileges, giving them full access to gpedit.msc. Sometimes this user will be able to take
ownership of the file and modify it.
Another useful tip while trying to lock down the profiles is to temporarily put a shortcut to gpedit.msc
onto the desktop of the public user. Since you've blocked seeing the desktop you won't be able to see the
shortcut. However, if you go into Internet ExplorerViewExplorer BarSearch you will be able to
see it. As long as public user has Administrator privilege, you will be able to modify the settings. Make
sure to remove both the short cut and Administrator privilege after you have it all locked down.
Group Policy Changes: Applied to Computer ConfigurationAdministrative Template
PRINTERS
(as necessary)
Disallow Installation of Printers
Web based Printer
enabled
enabled
Group Policy Changes: Applied to User ConfigurationAdministrative Template
WINDOWS COMPONENTS
INTERNET EXPLORER
Search: Disable Search Customization
Search: Disable Find Files via F3
Disable external branding of Internet Explorer
Disable importing and exporting of favorites
Disable changing Advanced page settings
Disable changing home page settings
Use Automatic Detection for dial-up
connections
Disable caching of Auto-Proxy scripts
Display error message on proxy script
download failure
Disable changing Temporary Internet files
Disable changing history settings
Disable changing color settings
Disable changing link color settings
Disable changing font settings
Disable changing language settings
Disable changing accessibility settings
Disable Internet Connection wizard
Disable changing connection settings
Disable changing proxy settings
Disable changing Automatic Configuration
Disable changing ratings settings
Disable changing certificate settings
Disable changing Profile Assistant settings
Disable AutoComplete for forms
Do not allow AutoComplete to save passwords
Disable changing Messaging settings
Disable changing Calendar and Contact
Disable the Reset Web Settings feature
Disable changing default browser check
Identity Manager: Prevent users from using
Configure Outlook Express
Configure Media Explorer Bar (Disable the
Media Explorer Bar)
enabled
enabled
enabled
enabled
enabled
enabled
Not configured
Not configured
Not configured
enabled
enabled
Not configured
Not configured
Not configured
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
BROWSWER MENUS (under Internet Explorer)
File menu: Disable Save As... menu option
File menu: Disable New menu option
File menu: Disable Open menu option
File menu: Disable Save As Web Page
File menu: Disable closing the browser
View menu: Disable Source menu option
View menu: Disable Full Screen menu option
Hide Favorites menu
Tools menu: Disable Internet Options
Help menu: Remove 'Tip of the Day'
Help menu: Remove 'For Netscape Users'
Help menu: Remove 'Send Feedback' menu
Disable Context menu
Disable Open in New Window menu option
Disable Save this program to disk option
TOOLBARS (under Internet Explorer)
Disable customizing browser toolbar buttons
Disable customizing browser toolbars
Configure toolbar buttons (check Back,
Forward, Stop, Refresh, Home; and Print if
appropriate)
OFFLINE PAGES (under Internet Explorer)
Disable adding channels
Disable offline page hit logging
Disable channel user interface completely
enabled
enabled
enabled
enabled
Not configured
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
Not configured
enabled
enabled
enabled
enabled
enabled
enabled
enabled
WINDOWS EXPLORER
Removes the folder options menu from the Tools menu
Remove file menu from Windows Explorer
Remove search button from Windows Explorer
Remove Windows Explorer's default context menu
Hides the Manage Items on the Windows Explorer's context menu
Hide these specified drives in My Computer
(restrict all drives)
Do not move deleted files to the Recycle bin
Remove Shared Documents from My computer
WINDOWS MESSENGER
Do not allow WM to Run
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
WINDOWS MESSENGER
Remove access to use of all Windows Update Features
enabled
DESKTOP
Hide and disable all items on the desktop
Remove My Documents icon on the desktop
Remove My Computer icon on the desktop
Remove Recycle Bin icon from desktop
Remove Properties from the My Documents context menu
Remove Properties from the My Computer context menu
Remove Properties from the Recycle Bin context menu
Hide My Network Places icon on desktop
Hide Internet Explorer icon on desktop
Do not add shares of recently opened documents to My
Network Places
Prohibit user from changing My Documents path
Prevent adding, dragging, dropping and closing the
Taskbar's toolbars
Prohibit adjusting desktop toolbars
Don't save settings at exit
Remove the Desktop Cleanup Wizard
ACTIVE DESKTOP –UNDER DESKTOP
Prohibit changing items
Prohibit deleting items
Prohibit adding items
Prohibit editing items
START MENU AND TASKBAR
Remove user's folders from the Start Menu
Remove links and access to Windows Update
Remove common program groups from Start Menu
Remove My Documents icon from Start Menu
Remove Documents menu from Start Menu
Remove programs on Settings menu
Remove Network Connections from Start Menu
Remove Favorites menu from Start Menu
Remove Search menu from Start Menu
Remove Help menu from Start Menu
Remove Run menu from Start Menu
Remove My Pictures icon from Start Menu
Remove My Music icon from Start Menu
Remove My Network Places icon from Start Menu
Add Logoff to the Start Menu
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
not configured
not configured
enabled
enabled
enabled
enabled
not configured
enabled
enabled
enabled
enabled
enabled
not configured
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
Remove Logoff on the Start Menu
Remove and prevent access to the Shut Down command
Remove Drag-and-drop context menus on the Start Menu
Prevent changes to Taskbar and Start Menu Settings
Remove access to the context menus for the taskbar
Do not keep history of recently opened documents
Clear history of recently opened documents on exit
Turn off personalized menus
Turn off user tracking
Add "Run in Separate Memory Space" check box to Run
dialog box
Do not use the search-based method when resolving shell
shortcuts
Do not use the tracking-based method when resolving
shell shortcuts
Gray unavailable Windows Installer programs Start Menu
shortcuts
Prevent grouping of taskbar items
Turn off notification area cleanup
Lock the Taskbar
Force classic Start Menu
Remove Balloon Tips on Start Menu items
Remove pinned programs list from the Start Menu
Remove frequent programs list from the Start Menu
Remove All Programs list from the Start menu
Remove and disable the Turn Off Computer button
Remove the "Undock PC" button from the Start Menu
Remove user name from Start Menu
Remove Clock from the system notification area
Hide the notification area
Do not display any custom toolbars in the taskbar
CONTROL PANEL
Prohibit access to the control panel
enabled
CONTROL PANEL
PRINTERS
Browse the network to find printers
Prevent addition of printers
Prevent deletion of printers
enabled
enabled
enabled
NETWORK
OFFLINE FILES
Prohibit User Configuration of Offline Files
Remove 'Make Available Offline'
Prevent use of offline files folder
Turn Off Reminder Balloons
enabled
enabled
enabled
enabled
not configured
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
not configured
enabled
not configured
enabled
enabled
enabled
enabled
not configured
not configured
not configured
enabled
SYSTEM – CTRL-ALT-DEL OPTIONS
Remove Task Manager
Remove Lock Computer
Remove Change Password
enabled
enabled
enabled
*******************************
Do these only when necessary
SYSTEM--LOGON
Allow only these programs to run at user logon
iexplore.exe, bursaropen.exe, WebSafe.exe, syswb6.exe