Le wiki de Ledman

User Tools

Site Tools

Trace: Poor man's guide to locking down Windows XP
start:tips:win:lock_xp

Poor man's guide to locking down Windows XP

A while ago, I found myself sitting at my Mom’s Windows XP computer staring at your typical family tech support nightmare. A nephew had been given access to the machine from the admin account and the result, as you might expect, was a disaster. Of course, the conversation started with “Hey, do you think you could look at our computer it seems awfully slow?”

Some advice, if you ever hear this question and the machine has a broadband connection look for any possible means to change the subject and start packing the car!

After attempting as best I could to clean things up and having no desire to install any additional software for fear of exacerbating an already terrible situation I opted to create a secondary “nephew” user account I could attempt to lock down. Armed with Internet Explorer and Google I searched for ways to disable certain Windows features in an effort to try and “protect” the new account. My focus was only things I could do with the registry since, again, I didn’t want to install any software. Without further adieu here is the list of registry tweaks I found and used in no particular order.

WARNING: If you use and/or apply any of this information it is entirely your responsibility, you assume ALL risk. You’ve been warned!

Btw, here’s great guide to the Windows registry for reference though not all of these items came from that site.

Hide or Display Administrative Tools Menu 

User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
Value Name: StartMenuAdminTools
Data Type: REG_SZ (String Value)
Value Data: Yes or No

Hide Control Panel, Printer and Network Settings 

User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Value Name: NoSetFolders
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disabled, 1 = enabled)

Disable Drag-and-Drop on the Start Menu 

User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Value Name: NoChangeStartMenu
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disable restriction, 1 = enable restriction)

Remove Run from the Start Menu 

User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Value Name: NoRun
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disabled, 1 = enabled)

Remove Tray Items from Taskbar 

User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Value Name: NoTrayItemsDisplay
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = default, 1 = enable restriction)

Disable the Change Password Button 

User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
Value Name: DisableChangePassword
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disabled, 1 = enabled)

Disable the Lock Workstation Button 

User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
Value Name: DisableLockWorkstation
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disabled, 1 = enabled)

Disable System Restore Tools and Settings 

System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
Value Name: DisableConfig, DisableSR
Data Type: REG_DWORD (DWORD Value)
Value Data: (1 = enable restriction)

Disable the Ability to Right Click on the Desktop 

User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Value Name: NoViewContextMenu
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disabled, 1 = enabled)

Screen Saver Password Protection Policy 

User Key: [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop]
Value Name: ScreenSaverIsSecure
Data Type: REG_DWORD (DWORD Value)

Remove the Security Tab 

User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Value Name: NoSecurityTab
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = default, 1 = enable restriction)

Remove the Hardware Tab 

User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Value Name: NoHardwareTab
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = default, 1 = enable restriction)

Disable the New Menu Item 

In the registry find this key [HKEY_CLASSES_ROOT\CLSID\{D969A300-E7FF-11d0-A93B-00A0C90F2719}].
Rename it by placing a dash "-" in front of the GUID (the long bracketed value at the end.

Disable the Ability to Customize Toolbars 

User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Value Name: NoToolbarCustomize
Data Type: REG_DWORD (DWORD Value)
Value Data: (1 = enable restriction)

Remove File Menu from Explorer 

User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Value Name: NoFileMenu
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disabled, 1 = enabled)

Hide the Network Neighborhood Icon 

User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Value Name: NoNetHood
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disabled, 1 = enabled)

Avoid Accidental Registry Imports with Regedit 

Open your registry and find the key below.
Change the (Default) value to equal "edit".
Exit your registry editor.
System Key: [HKEY_CLASSES_ROOT\regfile\shell]
Value Name: (Default)
Data Type: REG_SZ (String Value)
Value Data: edit

Disable Windows Installer 

System Key: [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer]
Value Name: DisableMSI
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = default, 1 = admin only, 2 = disabled)

Restrict Installations from Removable Media 

User Key: [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer]
Value Name: DisableMedia
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = default, 1 = enable restriction)
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
start/tips/win/lock_xp.txt · Last modified: 2016/09/29 10:51 by stephane