Use the registry to prevent arbitrary changes.

In many application environments, not every user needs to set certain features of the system. At the same time, such arbitrary settings will cause great trouble to the system administrator. Although there are a lot of software that can protect the computer system settings. Here I will introduce some methods to restrict the setting items by using the registry.

I. functional limitations of the Start menu and desktop:

1. Restrict Start Menu items:

In the Registry: HKEY_USERS \ "User Name" \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, add the following new DWORD values and their meanings: "NoRun" = 1 the "run" command in the user's Start Menu is disabled;

"NoSetFolders" = 1 The "set \ Folder Options" command in the user's Start Menu is disabled;
"NoSetTaskbar" = 1 The "set \ taskbar and Start Menu" command in the user's Start Menu is forbidden;
"NoFind" = 1, the "Search" command in the user's Start Menu is disabled;
"NoStartMenuSubFolders" = 1 the subfolders in the user's "START" menu are hidden;
"NoClose" = 1, the "close system" command in the user's Start Menu is disabled;
"NoStartBanner" = 1. When WINDOWS is started, the arrow icon on the taskbar and the word "Click here to start" are hidden;
2. Restrict desktop items

In the Registry: HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, create the following DWORD values under the "Explorer" key value:
NoDesktop = 1 hide all icons on the desktop;
NoDrivers hides the drive DWORD Value of the low 26 bit from low to high corresponding to the A-Z drive, each bit = 1 for effective );
NoNetHood = 1. Hide the "Network Neighbor" icon on the desktop;
NoViewContextMenu = 1 hide the context menu that appears when you right-click the blank area of the desktop;
NoTrayContextMenu = 1 hide the menu displayed when you right-click the taskbar;
NoEntireNetwork = 1 hide "entire network" in "Network neighbors ";
NoSaveSetting = 1 do not save the settings before exiting;

Ii. Restricted Control Panel

Add the following DWORD values to the Registry: HKEY_USERS \ "User Name" \ Software \ Microsoft \ Windows \ CurrenVersion \ Policies \ System, the corresponding control panel item of the user is disabled:
"NoDispAppearancePage" = 1 (disable the "monitor" attribute)
"NoDispBackgroundPage" = 1 hide the "background" page in the "display" attribute)
"NoDispCPL" = 1 hide the "Screen Saver" page in the "monitor" attribute)
"NoDispScrSavPage" = 1 hide the "appearance" page in the "display" attribute.) add the "appearance" page in the Registry: HKEY_USERS \ USERNAME \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Network) the following DWORD values limit the corresponding control panel items of the User:
"NoNetSetup" = 1 disable the "network" attribute)
"NoNetSetupIDPage" = 1 hide the "identifier" page in the "network" attribute)
"NoNetSetupSecurityPage" = 1 hide the "access control" page in the "network" attribute)

Add the following DWORD values to the Registry: HKEY_USERS \ User Name \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System). The corresponding control panel items of this user are limited:

"NoSecCPL" = 1 disable the "password" attribute)
"NoPwdPage" = 1 hide the "Change Password" page in the "password" attribute)
"NoAdminPage" = 1 hide the "Remote Management" Page)
"NoProfilePage" = 1 hide the "user configuration file" page in the "System" attribute)
"NoDevMgrPage" = 1 hide the "device management" page in the "System" attribute)
"NoConfigPage" = 1 hide the "hardware configuration file" page in the "System" attribute)
"NoFileSysPage" = 1 hide the "File System" button on the "system" attribute "performance" page)
"Notesmempage" = 1 hide the "Virtual Memory" button on the "system" attribute "performance" page)

3. Network and user settings

In the Registry: HKEY_USERS \ "User Name" \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies
\ New under Explorer) the following DWORD values, the user's corresponding network and user setting permissions are canceled:

"NoDrives" = 1, all the drives in the user "my computer" are hidden;
"NoNetHooD" = 1, then the user's "network neighbor" is hidden;
"NoEntioeNetwork" = 1, the "entire network" of the user's "network neighbors" is hidden;
If the DWORD value is "NoDesktop" = 1, all program groups on the user's desktop are hidden, that is, no desktop );
If the DWORD value is "NoSaveSettings" = 1, the settings made by the user when the user exits the system are not saved.

If the value of the string "NoWorkgroupContents" = 1, the Working Group directory of the user's "Network Neighbor" is hidden;
2. Dial-Up Network and sharing settings:
If the following DWORD value is set in the Registry: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ Network, the corresponding limit is valid:
"NoDialIn" = 1 do not dial in)
"NoFileSharing" = 1 disable file sharing)
"NoWorkgroupContents" = 1 hide the workstation display in "Network Neighbor;
"NoEntireNetwork" = 1 hide the entire network display in "Network neighbors;
"NoFileSharingControl" = 1 prohibit file sharing;
"NoPrintSharingControl" = 1 Disable printer sharing;

3. Only list of Windows programs allowed:

In the Registry: HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ Restrict Run, create a new string value under this subkey. The string value starts from "1, the string value is the name of the running application. For example, Name Data
① "C: \ windows \ myprogram1"
② "D :\.... \ Myprogram2"
After the restriction is enabled, only the program in restrictrun can run. Ensure that the program ray.exe is included in the list.

Iv. password settings

If the following DWORD value is set under HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ Network, the corresponding setting is valid:
"HideSharePwds" = 1 use an asterisk *) Hide the shared password)
"DisablePwdCaching" = 1 Disable password caching. Note! Please use this setting with caution. In this case, the "password" attribute in the control panel cannot change the password. The user can log on with any password or without a password .)
"AlphanumPwds" = 1 so that the Windows Password Must be numbers and letters)
"MinPwdLen" = n sets the minimum length of the Windows Password. n is greater than or equal to 0 and less than or equal to 8)

5. Disable Registry Editor

HKEY_USERS \ "User Name" \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System \ if the DWORD Value "DisableRegstryToo ls" = 1, this user is prohibited from using the registry editing tool.

6. Disable "MSDOS" and MSDOS applications in a single modeCollation

Under HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \, create the primary key "WinOldApp" and create the DWORD Value "Disabled" = 1, the user's "MSDOS" method is disabled. If the value of "NoRealMode" is 1 in "WinOldApp", the user's single-mode MSDOS application is disabled.
7. self-starting Program

In the Registry HKEY_LOCAL_MACHINE \ SOFTWARE \ Mic rosoft \ Windows \ CurrentVersion \ Run, the string value under it indicates the program self-started through the registry;

In the Registry HKEY_LOCAL_MACHINE \ SOFTWARE \ Mic rosoft \ Windows \ CurrentVersion \ RunOnce, the string value under it indicates that the program is started only once;

In the Registry HKEY_LOCAL_MACHINE \ SOFTWARE \ Mic rosoft \ Windows \ CurrentVersion \ RunServices, the string value under it indicates the service program self-started through the registry;

In the Registry HKEY_LOCAL_MACHINE \ SOFTWARE \ Mic rosoft \ Windows \ CurrentVersion \ RunServicesOnce, the string value under it indicates that the service program is started only once.

From this, we can see all the preceding DWORD values. If the value is "1", this value is valid. If the value is "0", this value is invalid; by changing the DWORD value or deleting the DWORD, we can easily make the corresponding restriction valid or invalid.