Windows 2000 Tips &
Tweaks -
Security
BIOS Settings | E-Mail
Tweak | Enhancing
Performance with two disks | Explorer Tweaks
| Full Guide to OS Dual Booting
| Game Tuning Guide for Win NT / 2000 | Hardware
Spec tweaks | Internet Explorer Tweaks | Misc Tips | System
Speedup Tweaks | Removing Unused Windows
Components | TCP Broadening
Tweaks | Links
< Back to Main
Site >
< Windows 2000 Tips & Tweaking Guide created by Michael
and reprinted with permission >
______________________________
Restrict programs that can be run
Desktop: Restrictions
Remove Common Groups from the Start
Menu
Remove Shut Down button from Start
Menu
Remove Find command from the Start
Menu
Remove Taskbar from Start Menu
Remove Run command from Start menu
Remove all desktop icons
Remove drive icons from My
Computer
Disable File menu in Explorer
Remove Shortcut menu items and network drive options from Explorer toolbar
Hide Network Neighborhood icon and prevent Explorer from network access
Hide Control Panel, Printers, and My Computer Folders in
Explorer
Disable Ability to View Context
Menus
Disable New, Delete, & Change Buttons In
Explorer
Locking Down The Desktop
Prevent Windows 2000 from keeping history of recently opened
documents
Disable/Enable Net Access From Your
Computer
Disable Locally Cached Profiles
Restrict programs that can be run
One can restrict the programs that a user can run by setting the RestrictRun which will
restrict the user to programs in the Explorer\Restrict subkey. Apply the following Windows
NT registry hack:
Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Name: RestrictRun
Type: REG_DWORD
Value: 1
This setting applies the restriction to Explorer (note the key policy applied to). Users can
still run applications from Run command and command shell.
Desktop: Restrictions
You can restrict various desktop options in Windows 2000 using registry hacks directly;
using the System Policy Editor (an indirect registry editor) with the advantage that the
workstation registry will be returned to the desired state at each logon; or with Group
Policy editor which requires Active Directory. This tip covers the underlying registry
values which are the same for Window NT and Windows 2000.
Remove Common Groups from the Start Menu
To hide Common Groups in Start menu, use Explorer key and apply the following registry hack:
Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Name: NoCommonGroups
Type: REG_DWORD
Value: 1
Remove Shut Down button from Start Menu
To remove the ShutDown button from the Start Menu, apply the following Windows NT Reg hack:
Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Name: NoClose
Type: REG_DWORD
Value: 1
Remove Find command from the Start Menu
Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Name: NoFind
Type: REG_DWORD
Value: 1
Remove Taskbar from Start Menu
To remove Taskbar from Start Menu so only drag and drop can be used to alter Start Menu and
Desktop. To restrict, apply the following Windows NT Registry hack:
Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Name: NoSetTaskbar
Type: REG_DWORD
Value: 1
Remove Run command from Start menu
To remove the Run command from Start Menu, apply the following Windows NT Registry hack
Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Name: NoRun
Type: REG_DWORD
Value: 1
Remove all desktop icons
To hide Desktop Icons use Explorer key use the following Windows NT registry hack :
Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Name: NoDesktop
Type: REG_DWORD
Value: 1
Remove drive icons from My Computer
You can instruct Explorer to not display a drive(s) in the My Computer display. For example,
you create partition E: and use it exclusively for NT's pagefile. To prevent a (possibly
ignorant) user from browsing to that partition and deleting files that should not be
deleted, apply the following Windows NT Registry hack :
Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Name: NoDrives
Type: REG_DWORD
Value: To calculate the value, add together the numbers for the drives you want to hide,
using the formula: A=1, B=2, C=4, D=8, E=16, F=32, G=64, and so forth. To hide D: & E:, the
value would be 8+16=24.
Disable File menu in Explorer
To hide File Menus in Explorer
Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Name: NoFileMenu
Type: REG_DWORD
Value: 1
Remove Shortcut menu items and network drive options from Explorer toolbar
As part of securing Desktop, this tips shows how to remove the "Map Network Drive" and
"Disconnect Network Drive" buttons from the toolbar in Explorer and also removes the menu
items from the context menu of My Computer and the Tools menu of Explorer. This effectively
restricts drive mapping.
Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Name: NoNetConnectDisconnect
Type: REG_DWORD
Value: 1 Enable
Value: 0 Disable
Hide Network Neighborhood icon and prevent Explorer from network access
To prevent network access, apply the following Windows NT registry hack:
Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Name: NoNetHood
Type: REG_DWORD
Value: 1
Hide Control Panel, Printers, and My Computer Folders in Explorer
To apply the Control Panel, Printers, and My Computer in Explorer and on the Start Menu,
apply the following Windows NT registry hack:
Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Name: NoSetFolders
Type: REG_DWORD
Value: 1
Disable Ability to View Context Menus
To remove the context menu when you right click on the desktop, or when you right click in
Explorer in the results pane, apply the following Windows NT Registry hack:
Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Name: NoViewContextMenu
Type: REG_DWORD
Value: 0=Disable
Value: 1=Enable
Post SP2 NT4.0 option.
Disable New, Delete, & Change Buttons In Explorer
How can I disable the New, Delete, and Change buttons on Windows Explorer's File Types tab?
There is no Group Policy to prevent users from changing file associations via Windows Explorer.
You can prevent users from changing associations via Windows Explorer's Tools / Folder Options / File Types tab, by setting the NoFileAssociate value name, a REG_DWORD data type, to 1. To configure this setting for a specific user, use HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. To configure the setting for all users of a Windows 2000 computer, use HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer.
NOTE: This entry does NOT prevent users from using ASSOC and FTYPE to alter associations, and it obviously does NOT prevent alterations via the registry.
Locking Down The Desptop
Here are a few more Value Names that work if IE 4.01, SP1 Active Desktop or greater is installed. All are type REG_DWORD values. A data value of 0 is off and a data value of 1 is on. Use regedt32 to navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDesktopUpdate - Prevents placing new shortcuts on the desktop?
NoFolderOptions - Removes the Folder Options menu item from the Settings menu.
NoFavoritesMenu - Removes the Favorites folder from the Start menu.
NoRecentDocsMenu - Removes the Documents command from the Start menu.
NoSetActiveDesktop - Remove the Active Desktop item from the Settings menu.
Prevent Windows 2000 from keeping history of recently opened documents
Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, to 1
Add REG_DWORD NoRecentDocsHistory set to 1.
Disable/Enable Net Access From Your Computer
Enabling or Disabling Distributed COM
If the computer containing Component Services is part of a network, Component Services needs the DCOM wire protocol to communicate with COM components on other computers. You can disable DCOM, but doing so will disable communication with components on other computers.
Warning If you disable DCOM on a remote computer, you will not be able to remotely access that computer afterwards to enable DCOM again. To enable DCOM again, you will need physical access to that computer.
To manually enable or disable DCOM
In the console tree of the Component Services administrative tool, right-click the computer for which you want to disable (or enable) DCOM, and then click Properties.
Click the Default Properties tab.
Clear the Enable Distributed COM on this computer check box to disable DCOM. (To enable DCOM, select this check box.)
Click OK.
Disable Locally Cached Profiles
To disable a locally cached version of the users profile then perform the following on each machine:
Start the registry editor (regedit.exe)
Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
From the Edit menu select New - DWORD value
Enter a name of DeleteRoamingCache and press Enter
Double click the new value and set to 1
Click OK
______________________________