Poor man's guide to locking down Windows XP
A while ago, I found myself sitting at my Mom’s Windows XP computer staring at your typical family tech support nightmare. A nephew had been given access to the machine from the admin account and the result, as you might expect, was a disaster. Of course, the conversation started with “Hey, do you think you could look at our computer it seems awfully slow?”
Some advice, if you ever hear this question and the machine has a broadband connection look for any possible means to change the subject and start packing the car!
After attempting as best I could to clean things up and having no desire to install any additional software for fear of exacerbating an already terrible situation I opted to create a secondary “nephew” user account I could attempt to lock down. Armed with Internet Explorer and Google I searched for ways to disable certain Windows features in an effort to try and “protect” the new account. My focus was only things I could do with the registry since, again, I didn’t want to install any software. Without further adieu here is the list of registry tweaks I found and used in no particular order.
WARNING: If you use and/or apply any of this information it is entirely your responsibility, you assume ALL risk. You’ve been warned!
Btw, here’s great guide to the Windows registry for reference though not all of these items came from that site.
Hide or Display Administrative Tools Menu
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] Value Name: StartMenuAdminTools Data Type: REG_SZ (String Value) Value Data: Yes or No
Hide Control Panel, Printer and Network Settings
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoSetFolders Data Type: REG_DWORD (DWORD Value) Value Data: (0 = disabled, 1 = enabled)
Disable Drag-and-Drop on the Start Menu
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoChangeStartMenu Data Type: REG_DWORD (DWORD Value) Value Data: (0 = disable restriction, 1 = enable restriction)
Remove Run from the Start Menu
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoRun Data Type: REG_DWORD (DWORD Value) Value Data: (0 = disabled, 1 = enabled)
Remove Tray Items from Taskbar
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoTrayItemsDisplay Data Type: REG_DWORD (DWORD Value) Value Data: (0 = default, 1 = enable restriction)
Disable the Change Password Button
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] Value Name: DisableChangePassword Data Type: REG_DWORD (DWORD Value) Value Data: (0 = disabled, 1 = enabled)
Disable the Lock Workstation Button
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] Value Name: DisableLockWorkstation Data Type: REG_DWORD (DWORD Value) Value Data: (0 = disabled, 1 = enabled)
Disable System Restore Tools and Settings
System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore] Value Name: DisableConfig, DisableSR Data Type: REG_DWORD (DWORD Value) Value Data: (1 = enable restriction)
Disable the Ability to Right Click on the Desktop
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoViewContextMenu Data Type: REG_DWORD (DWORD Value) Value Data: (0 = disabled, 1 = enabled)
Screen Saver Password Protection Policy
User Key: [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop] Value Name: ScreenSaverIsSecure Data Type: REG_DWORD (DWORD Value)
Remove the Security Tab
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoSecurityTab Data Type: REG_DWORD (DWORD Value) Value Data: (0 = default, 1 = enable restriction)
Remove the Hardware Tab
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoHardwareTab Data Type: REG_DWORD (DWORD Value) Value Data: (0 = default, 1 = enable restriction)
Disable the New Menu Item
In the registry find this key [HKEY_CLASSES_ROOT\CLSID\{D969A300-E7FF-11d0-A93B-00A0C90F2719}]. Rename it by placing a dash "-" in front of the GUID (the long bracketed value at the end.
Disable the Ability to Customize Toolbars
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoToolbarCustomize Data Type: REG_DWORD (DWORD Value) Value Data: (1 = enable restriction)
Remove File Menu from Explorer
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoFileMenu Data Type: REG_DWORD (DWORD Value) Value Data: (0 = disabled, 1 = enabled)
Hide the Network Neighborhood Icon
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoNetHood Data Type: REG_DWORD (DWORD Value) Value Data: (0 = disabled, 1 = enabled)
Avoid Accidental Registry Imports with Regedit
Open your registry and find the key below. Change the (Default) value to equal "edit". Exit your registry editor. System Key: [HKEY_CLASSES_ROOT\regfile\shell] Value Name: (Default) Data Type: REG_SZ (String Value) Value Data: edit
Disable Windows Installer
System Key: [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer] Value Name: DisableMSI Data Type: REG_DWORD (DWORD Value) Value Data: (0 = default, 1 = admin only, 2 = disabled)
Restrict Installations from Removable Media
User Key: [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer] Value Name: DisableMedia Data Type: REG_DWORD (DWORD Value) Value Data: (0 = default, 1 = enable restriction)