Poor man's guide to locking down Windows XP

A

while ago, I found myself sitting at my Mom’s Windows XP computer staring at your typical family tech support nightmare. A nephew had been given access to the machine from the admin account and the result, as you might expect, was a disaster. Of course, the conversation started with “Hey, do you think you could look at our computer it seems awfully slow?”

Some advice, if you ever hear this question and the machine has a broadband connection look for any possible means to change the subject and start packing the car!

After attempting as best I could to clean things up and having no desire to install any additional software for fear of exacerbating an already terrible situation I opted to create a secondary “nephew” user account I could attempt to lock down. Armed with Internet Explorer and Google I searched for ways to disable certain Windows features in an effort to try and “protect” the new account. My focus was only things I could do with the registry since, again, I didn’t want to install any software. Without further adieu here is the list of registry tweaks I found and used in no particular order.

WARNING: If you use and/or apply any of this information it is entirely your responsibility, you assume ALL risk. You’ve been warned!

Btw, here’s great guide to the Windows registry for reference though not all of these items came from that site.

Hide or Display Administrative Tools Menu
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced]
Value Name: StartMenuAdminTools
Data Type: REG_SZ (String Value)
Value Data: Yes or No

Hide Control Panel, Printer and Network Settings
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Value Name: NoSetFolders
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disabled, 1 = enabled)

Disable Drag-and-Drop on the Start Menu
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Value Name: NoChangeStartMenu
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disable restriction, 1 = enable restriction)

Remove Run from the Start Menu
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Value Name: NoRun
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disabled, 1 = enabled)

Remove Tray Items from Taskbar
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Value Name: NoTrayItemsDisplay
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = default, 1 = enable restriction)

Disable the Change Password Button
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
System]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
System]
Value Name: DisableChangePassword
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disabled, 1 = enabled)

Disable the Lock Workstation Button
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
System]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
System]
Value Name: DisableLockWorkstation
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disabled, 1 = enabled)

Disable System Restore Tools and Settings
System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
Value Name: DisableConfig, DisableSR
Data Type: REG_DWORD (DWORD Value)
Value Data: (1 = enable restriction)

Disable the Ability to Right Click on the Desktop
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Value Name: NoViewContextMenu
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disabled, 1 = enabled)

Screen Saver Password Protection Policy
User Key: [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\
Desktop]
Value Name: ScreenSaverIsSecure
Data Type: REG_DWORD (DWORD Value)

Remove the Security Tab
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Value Name: NoSecurityTab
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = default, 1 = enable restriction)

Remove the Hardware Tab
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Value Name: NoHardwareTab
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = default, 1 = enable restriction)

Disable the New Menu Item
In the registry find this key [HKEY_CLASSES_ROOT\CLSID\{D969A300-E7FF-11d0-A93B-00A0C90F2719}].

Rename it by placing a dash “-” in front of the GUID (the long bracketed value at the end.

Disable the Ability to Customize Toolbars
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Value Name: NoToolbarCustomize
Data Type: REG_DWORD (DWORD Value)
Value Data: (1 = enable restriction)

Remove File Menu from Explorer
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Value Name: NoFileMenu
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disabled, 1 = enabled)

Hide the Network Neighborhood Icon
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
Value Name: NoNetHood
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disabled, 1 = enabled)

Avoid Accidental Registry Imports with Regedit
Open your registry and find the key below.
Change the (Default) value to equal “edit”.
Exit your registry editor.

System Key: [HKEY_CLASSES_ROOT\regfile\shell]
Value Name: (Default)
Data Type: REG_SZ (String Value)
Value Data: edit

Disable Windows Installer
System Key: [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer]
Value Name: DisableMSI
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = default, 1 = admin only, 2 = disabled)

Restrict Installations from Removable Media
User Key: [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer]
Value Name: DisableMedia
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = default, 1 = enable restriction)

2 thoughts on “Poor man's guide to locking down Windows XP

  1. I find the Group Policy editor, (Start | Run | "gpedit.msc" is quickest) an easier way of accessing these settings. The administrative templates cover this in large detail. (I don’t know if that’s in Home editions of MS OSes though.)
    However, these settings largely only affect the desktop UI, the Explorer ones in particular; the underlying functionality often isn’t disabled.

  2. Hey Bary,
    Thanks for the comment. Yeah the GPE works great for this sort of thing though part of the problem was that I didn’t know specifically what I was looking for as I’d never tried this approach before which is where Google came in handy. Also, you’re right regarding UI, my focus was on locking down portions of Explorer . Admittedly, this approach is a total hack and far from complete or completely effective though it didn’t really take much time and was easy to accomplish. The machine was in such bad shape this was really just a minor band aid allowing me to extract myself from performing some sort of backup and a reinstall. I don’t live close enough to my Mom for me to do more than this level of troubleshooting.

Comments are closed.