users focused, on track, and out of trouble is sometimes a dicey proposition.
Since nothing is foolproof to a sufficiently talented fool, it’s tough to keep
users out of off-limit places and applications. Even though you have to be an
administrator to make most system configuration changes, unwary users can still
do damage to their machines. In addition, there’s always the lure of the
Internet Explorer icon right on users’ desktops, tempting them away from work.
And even the network sometimes proves to be a dangerous place for some users.
The solution to these wayward users is to apply restrictions to what users can
and can’t do.

Click this tag search to find other How do I… articles and downloads.

This article is also available as a TechRepublic download.

This article was originally published on January 19, 2006.

Group policies

In a
domain environment, you can use group policies to apply restrictions at several levels,
including domain, site, and organizational unit (OU). For example, you can
configure the interface to hide drives in My Computer, hide the Internet
Explorer icon, disable Add/Remove Programs, and use a boatload of other
restrictions to keep users focused and out of trouble. You can apply the
restrictions on a per-user or per-group basis, giving you very granular control
over who can do what, when, and where.

In a
workgroup environment, however, accomplishing the same thing is a lot tougher
because the local group policy is intended to apply to all users, regardless of
account or group membership. But with a little finesse, you can apply restrictions
to individual users.

The Group Policy console

use the Group Policy console to apply restrictions. Before you go
rushing off to lock down your users, however, keep this in mind: The changes
you’re going to make will initially affect the local administrator account on
each computer. Don’t apply any restrictions that will prevent you from later
removing the restrictions from the administrator account. You might want to
temporarily create an account with membership in the Administrators group to
use in case you have problems and need to undo the restrictions.

how to fool Windows XP Professional into using different restrictions for

  1. Log on as Administrator.
  2. Go to Start | Run and enter Gpedit.msc in the Open
    dialog box to start the Group Policy console shown in Figure A.
  3. Open the User Configuration/Administrative Templates
    branch and change settings as desired to enable restrictions as needed.
    The settings for each restriction vary.
  4. Close the Group Policy console and log off; then log on
    again as Administrator to apply the change.
  5. Log off and log on as another user to verify that the
    restrictions are applied. Log off and then log on as each of the other
    users, in turn, to whom you want to apply the restrictions.
  6. Log on as Administrator and copy the file %systemroot%\System32\GroupPolicy\User\registry.pol to a backup location and name
    it UserReg.pol.
    Copy the file %systemroot%\System32\GroupPolicy\Machine\registry.pol to the same backup location
    and name it MachineReg.pol.
  7. Open the Group Policy console and remove the
    restrictions applied in step four. In some cases, you might need to use
    the opposite setting from the one applied in step three. For example, if
    you selected Enable to apply a given restriction,
    choose Disable to remove the restriction, rather than Not Configured
    (which applies no change to the registry).
  8. Close the Group Policy console and then copy the backup
    file created in step six back to %systemroot%\System32\GroupPolicy\User\registry.pol, making sure to rename the
    file Registry.pol.
    Copy the backup MachineReg.pol
    created in step six back to %systemroot%\System32\GroupPolicy\Machine\registry.pol, making sure to rename the
    file Registry.pol.
  9. Log off as administrator and log on as one of the
    restricted users to verify that the restrictions are in place. Log off and
    then log back on as administrator to verify that the restrictions are not
    applied to the administrator account. As long as you didn’t use your own nonadministrator account to log on in step five, that
    account will not have the restrictions applied.

Figure A

Group Policy console