| Home │ Pt II │ Pt III | ||
Group Policy Editor: A closer look at some useful policy settingsThis article applies to primarily to Windows XP Professional and Windows Server 2003 but some registry tweaks can also be used in Windows XP Home Edition Topics on this page: [1] Introduction [2] Internet Explorer settings
[3] Windows settings
1. IntroductionThe Group Policy Editor in Windows XP Professional has many extra settings compared to Windows 2000. It would not be particularly useful or practical to cover all the several hundred settings but some are related to problems frequently encountered by users and not many people are aware that they can be set here. Therefore it would be convenient to list those here. Unless indicated, the corresponding registry tweaks are all operational in Windows XP Home edition if made directly via regedit. The exceptions include some network and domain related settings. It is not true that Windows XP Home edition does not support policies: it is just that there is no Group Policy Editor to set them. The way the settings are grouped in the Group Policy editor can be rather hidden and unintuitive to locate. Often there is more than one possible setting, typically one per user and one per computer. The latter overrides the former setting if both are set. There are three basic settings in the Group Policy Editor: Enabled, Disabled and Not Configured (with a few exceptions). By default the policy registry keys are absent and only created when a policy is set to Enabled. When the policy is reset to Disabled or Not Configured, usually the registry key is deleted. Sometimes, manually modifying the registry key value to 0 has the same effect as disabling it. I've not tested all the settings (>600) but this seems to be a general pattern of behaviour. I will not cover any policy settings for netmeeting, Windows Media Player, Internet Explorer Administration Kit (IEAK), Office XP/2003 nor include screen shots for all the settings after the initial examples. Also, the templates are customisable: they can be modified, deleted or added. The list below are from the default Internet Restrictions and System templates only.
2. Internet Explorer settingsThere is a huge number of policies and some of the useful ones have been covered in my articles on IE hijacking. A few configurations can be set directly in IE itself. You can use the Group Policy Editor to configure them and remove hijacking restrictions. Under Computer Configuration\Administrative Templates\Internet Explorer there are settings for security restrictions. Under User Configuration\Administrative Templates\Internet Explorer Maintenance there are settings for IE customisation, internet connection and security zones. Internet Options menu restrictions Internet Options: individual tabs disabled, including: General Tab IE branding, customisation, restrictions (and hijacking): Disable IE R click context menu Disable toolbar and toolbar button customisation
3. Windows settings3.1. System policiesA large number of system settings are found under both user and computer configurations and some are further subdivided into groups. Turn off Autoplay (autorun)You can normally do this directly in Windows Explorer (R click the CDROM drive icon, properties, autoplay) but sometimes after installing programmes the autoplay has been changed and cannot be reset easily. There are per user and per machine settings and there is an addition registry setting outside the control of the Group Policy editor. The reason for such complication is beyond my understanding (see MS KB 330135). Whether your ROM is autorun enabled or not depends on the combination of these settings; so make sure you check all of them carefully. You don't need all three settings: just one setting can disable autorun. Why it's called "autorun" in the registry and "autoplay" elsewhere is again incomprehensible and best known to Microsoft. Per User setting: User Configuration\Administrative Templates\System:
Registry: HKEY_CURRENT_USER\Software\Microsoft\ The value of 91 hex (145 decimals) means autorun is enabled; 0xb5 (181) means autorun is disabled (equivalent to setting the policy to Enabled). If you set the policy to Disabled or Not Configured, the registry key is deleted altogether. To complicate matters further, the value of 91 has changed from that in Windows NT and 2000 (MS KB 155217). Per Computer setting: Computer Configuration\Administrative Templates\System:
Registry: HKEY_LOCAL_MACHINE\Software\Microsoft\ The value of 0xb5 (181) means autorun is disabled (equivalent to setting the policy to Enabled). Setting the policy to Disabled or Not Configured in the Group Policy Editor actually deletes the registry key altogether. The addition registry key not configured by Group Policy is (inherited from previous versions of Windows and included here for reference): HKEY_LOCAL_MACHINE\System\ The value of 0 means autorun is disabled; 1 means enabled.
Registry Editor disabled or restrictionsThese are frequently encountered in IE hijacks and few realise that the Group Policy Editor can easily reset them. Other browsers are not or less susceptible because they don't use ActiveX plug-ins. Regedit DisabledRegedit Operation cancelled due to RestrictionsThis is in fact a specific example of the "Don't run specified Windows applications" policy below when applied to regedit.exe.
Don't run specified Windows applicationsUser Configuration\Administrative Templates\System: Registry: HKEY_CURRENT_USER\Software\Microsoft\
Remove Task Manager This policy setting can also be due to software installation or malware. User Configuration\Administrative Templates\System: Registry: HKEY_CURRENT_USER\Software\Microsoft\
3.2. Desktop policiesUnder:
Restore desktop icons with "NoSaveSettings"User Configuration\Administrative Templates\Desktop: Registry: HKEY_CURRENT_USER\Software\Microsoft\
Remove Recycle Bin icon from desktopThis one is a real pain if you have deleted the Recycle Bin icon and don't use the Group Policy Editor to restore it: have a look at the registry key and you'll see what I mean. User Configuration\Administrative Templates\Desktop: Registry: HKEY_CURRENT_USER\Software\Microsoft\
3.3. Start menu and Taskbar policiesUnder User Configuration\Administrative Templates\Start Menu and Taskbar there are 42 settings some of which would be useful for individual users.
Remove Recent Documents menu from Start menuUser Configuration\Administrative Templates\ Registry: HKEY_CURRENT_USER\Software\Microsoft\
Remove My Documents from Start menuNormally you can configure this directly in Start menu properties. User Configuration\Administrative Templates\ Registry: HKEY_CURRENT_USER\Software\Microsoft\
No Recent Document HistoryThis setting prevents the recent document history including the list in Explorer and IE Address Bar and Start, Run Address bar from being saved. If you enable this setting, My Recent Documents would disappear from the Start menu and the option to list and clear the same would also disappear in Start menu properties. Per User setting only: User Configuration\Administrative Templates\ Registry: HKEY_CURRENT_USER\Software\Microsoft\
Clear history of recently opened documents on exitThis setting allows saving the recently opened document but clears the list on shutdown. Per User setting only: User Configuration\Administrative Templates\ Registry: HKEY_CURRENT_USER\Software\Microsoft\
Turn off user trackingThis settings stops all your recently opened documents from being saved in a list, including Office and any other applications that track usage. Per User setting only: User Configuration\Administrative Templates\ Registry: HKEY_CURRENT_USER\Software\Microsoft\
3.4. Windows MessengerNote that these settings do not actually uninstall Messenger and is not related to Messenger service. Per User setting: User Configuration\Administrative Templates\
Registry: HKEY_CURRENT_USER\Software\Policies\ Per Computer setting: Computer Configuration\Administrative Templates\
Registry: HKEY_LOCAL_MACHINE\Software\Policies\
3.5. Windows Explorer policiesThere are 27 settings in User Configuration only. Hide these specified drives in My ComputerUser Configuration\Administrative Templates\ Registry: HKEY_CURRENT_USER\Software\Microsoft\ This obscure value means the policy is Enabled.
Prevent access to drives from My computerUser Configuration\Administrative Templates\ Registry: HKEY_CURRENT_USER\Software\Microsoft\ This obscure value means the policy is Enabled.
Remove Security tab from folder propertiesFor XP Professional only (with Simple File Sharing disabled); this tweak has no effect in Windows XP Home edition (in which Simple File Sharing cannot be disabled and the Security tab is hidden except in Safe Mode). User Configuration\Administrative Templates\ Registry: HKEY_CURRENT_USER\Software\Microsoft\
3.6. Limit reservable bandwidthNote that this setting does not limit your internet connection speed and changing it does not increase it (read KB 316666). It is one of the commonest myths widely circulated on the internet. Use your common sense and intellect and do not join in the bandwagon. Computer Configuration\Administrative Templates\ Registry: HKEY_LOCAL_MACHINE\Software\Policies\ Set Enabled to take effect and any value less than 20 to reduce the bandwidth reservation for the system set by the Packet Scheduler from a default value of 20%.
4. Security PoliciesUnder: Computer Configuration\Windows Settings\ you'll find many settings all related to security. All the "Securities Settings" nodes can also be accessed via the Security Policy mmc snap-in (secpol.msc). A few settings are particularly useful even for the home user using Windows XP Professional. This snap-in is not available in Windows XP Home Edition. Accounts: Limit local account use of blank password to console logon only The default is set to enabled.
Accounts: rename administrator account (default: Administrator) This allows you to rename the Administrator account for increased security.
Accounts: rename guest account This allows you to rename the Administrator account for increased security.
Interactive logon: Prompt users to change password before expiration The default is set to 14 days. This has no effect if the Password never expires setting is selected under the user account concerned in Local Users and Groups (lusrmgr.msc).
Recovery console: Allow automatic administrative logon Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole
Recovery console: Allow floppy copy and access to all drives and all folders Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole
Shutdown: Clear virtual memory pagefile Registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\Memory Management
Go to TOP
Copyright © 2004-2005 by Kilian. All my articles including graphics are provided "as is" without warranties of any kind. I hereby disclaim all warranties with regard to the information provided. In no event shall I be liable for any damage of any kind whatsoever resulting from the information. The articles are provided in good faith and after some degree of verification but they may contain technical or typographical errors. Links to other web resources may be changed at any time and are beyond the control of the author. Articles may be added, removed, edited or improved at any time. No support is provided by the author. All the products mentioned are trademarks of their respective companies. Created 2004; last updated 15 Jul 2005 |
|
|
