|
The System Policy Editor |
Policy Editor
Customization fiends can use Windows 95's System Policy Editor to streamline
and organize their desktops.
The second way to customize a system is to use the System Policy Editor
to manage access to critical Windows 95 features and
functions. With this utility, you can turn off a long list of Windows
95 Control Panel settings, devices, interface objects, and
system-level access points. Although power users might balk at eliminating
features and functions, you'd be surprised at the benefits. Turning off
certain Shell items is an excellent way to customize the desktop and create
a uniform environment for networked users. Together, the System Policy
Editor and User Profiles can create a less complex, more controlled environment
for some users, while giving experienced users access to all Win 95 offers.
Although user profiles come into play mainly when several users are
sharing one PC, you can create different user profiles to customize your
own desktop. For instance, you might create one desktop configuration for
a Windows 95 notebook when it's in the
office and another for when it's on the road. Instead of naming user
profiles after people, you'd name them, say, Office and Road.
You might set the Office profile to a higher resolution than the Road
profile, which might also include your remote communications
program.
HOW TO: CREATE PROFILES
To create user profiles, open Control Panel's Passwords applet and
click on the User Profiles tab.
Select the radio button beside the "User can customize their preferences
. . ." description.
Place checks beside both options in the User Profile Settings box.
Then click on OK.
Windows will want to restart the system at this point, but don't let it. It's better if you configure each user right away. To do that, choose Shut Down's "Close all programs and log on as a different user" option. Then after a few seconds, Windows will display the Welcome to Windows dialog familiar to network users. Enter the name of the first user or custom desktop beside User name, and click on OK. You'll be asked to let Win 95 save individual settings for this user. Click on Yes. The wait cursor appears while Windows creates the new user configuration. Choose Shut Down again and repeat the process for every user or custom desktop you want to create. When you're done, choose Shut Down and restart the computer.
After creating all the users or desktops you want, you're ready to work with the System Policy Editor. But remember, when users log on, any changes they make to the system settings and desktop configurations are saved only to their user profiles. In fact, you don't even need to use the System Policy Editor unless you want to restrict access to functions in some but not all profiles. If that is the case, then the System Policy Editor is useful for two things: setting user-specific and computer-specific properties.
User-specific properties include personal access to the Control Panel
settings and devices, desktop objects, network printer and
file sharing, Shell features, and system elements.
Computer-specific properties include the system's access to network
client/server software and features as well as system operations. In effect,
you can set up a PC that is nearly accident-proof by restricting access
to the Registry Editor and by disabling such events as Shut Down and the
saving of settings on exit.
Win 95's System Policy Editor lets you set up barriers to the software, settings, devices, and system files that make a multiuser system most vulnerable. For instance, creating a user profile with these policy restrictions makes it difficult for most users to inadvertently cripple a system.
USER PROPERTIES RECOMMENDED POLICY
THE EFFECTS
SETTINGS
The System Policy Editor's entire range of features, which includes
templates and user and group policies, won't benefit you unless you're
the administrator of an NT or NetWare network. Templates are an advanced
way to work with the Registry. The System Policy Editor's default template
lists all the policies you can use and is stored in a file called ADMIN.ADM.
You can also create custom policy templates (and multiple .ADM files) that
define specific sets of Registry values. This way, you can apply system
policies to a select group of applications. The settings are then stored
in a policy file (.POL), which updates the local Registry when a network
user logs on. User policies let you create custom setups, such as limited
access for guests or temporary users, for individual network users. Group
policies take advantage of NetWare and NT server groups, letting you set
broad controls from one policy file.
If you're a network administrator, the Microsoft Windows 95 Resource Kit is a good starting reference source for learning to use the System Policy Editor's extended features. (For those of you using local systems, System Policy Editor can provide some benefits, though it's easy to miss them in the shroud of network-ese. More on this later.)
If several people are using one PC, configure user profiles before using the System Policy Editor. Making policy changes to the default user and computer properties is asking for trouble and confusion if you don't.
To install the System Policy Editor (PolEdit for short), an optional utility you add to Accessories from the Windows 95 CD, first, open the Add/Remove Programs option in Control Panel. Click on the Windows Setup tab and press the Have Disk button. Then click on Browse and navigate to the \Admin\Apptools\ Poledit folder on the Win 95 CD. Open the folder, and click on OK once, and OK again. You should be looking at the Have Disk dialog now. Place a check mark beside the second line, System Policy Editor, and click on the Install button. Once the program has installed, you'll find the System Policy Editor in Start\Programs\Accessories\System Tools.
If you're using the System Policy Editor on a standalone system, forget about creating policy (.POL) files. They were designed for use on a network, so ignore the System Policy Editor's File menu options for New and Open. While it may be possible to load them on a local machine, it's not worth the trouble because a user could simply delete the .POL file restricting their access to resources; that can't happen on a networked system because the .POL file resides on a server, not locally. Policy files override the Registry settings for both users and computers.
When you're working with the System Policy Editor on a local, non-networked computer, you're making policies for users and systems that Windows 95 stores in the Registry's USER.DAT and SYSTEM.DAT files. Fortunately, Windows 95 creates and stores a USER.DAT file for each user or desktop. When you create a user profile, new folders, identified by username, are placed in a Windows subfolder called Profiles. This both protects the default USER.DAT file, which remains in its original location, and prevents you from setting policies for one user while you're logged on as another.
HOW TO: SET RESTRICTIONS To use PolEdit to set restrictions, log on as the user whose settings you want to modify. Run the System Policy Editor from the System Tools submenu. Choose File|Open Registry. When it launches, you'll see two icons: Local User and Local Computer. About 99% of any changes you make will be in Local User. In fact, you should leave Local Computer entirely alone.
Click on the Local User icon to view the top-level user properties available
to you: Control Panel, Desktop, Network, Shell, and
System. Expanding each level of properties opens lists of policies
that you simply check to enable. See the table, "Better Safe Than
Sorry," for the Local User settings we recommend you use to accident-proof
a system from inexperienced users. These recommendations presume your computer
isn't networked. If it is, deny access to key networking features, too.
To do this, open both the Network and Shell book icons from the System
Policy Editor. You can disable printer and file-sharing
controls from the Network book and hide or deny access to Network Neighborhood
from the Shell|Restrictions policy selections. As an extra precaution,
delete the Shortcut to the System Policy Editor in your Start\Programs\Accessories\System
Tools folder. Also,
remove any obvious system tools or potentially damaging utilities you
may have added to the desktop, the Start menu, or the Programs
menu and submenus. Finally, avoid changing the Shell|Custom Folders
policies of Local User. Windows modifies this section
automatically.
Dr. Jekyll, Mr. Hide
Now on to major desktop makeovers. The following examples lay out two strategies for removing all or some desktop objects. Desktop minimalists will discover interesting ways to wipe the desktop clean of all artifacts. But before beginning any major desktop customization, protect your system by running Win 95's Config Backup utility (see the sidebar, "Read Me First").
To get in the spirit of the following tips, set up two experimental desktops under the names Dr. Jekyll and Mr. Hide. Log on using the Mr. Hide profile to test the clean-slate desktop customizations. Then, whenever you want to return to your normal configuration, just log on as Dr. Jekyll. There are going to be some changes in any serious desktop makeover that will fall outside the Registry sections that User Profiles builds redundancies for. So don't forget to run Config Backup, no matter what.
Additional fail-safes include creating Shortcuts for every object you're about to delete and placing all the Shortcuts in one folder. The items for which you need to do this vary, depending on your setup options, whether you're running Microsoft Plus!, customizations already in place, and the programs you've installed.
The first way to wipe off the desktop is also the easiest to set up. You don't actually delete desktop icons, you hide them. Then you can use your folder filled with desktop Shortcuts and icons any time you want, as the Start menu and the Taskbar remain on-screen.
HOW TO: WIPE THE DESKTOP CLEAN
To wipe your desktop clean, run the System Policy Editor. Choose File|Open
Registry and double-click on Local User. Expand the Shell book icon, and
then click on Restrictions. Toward the bottom of the policy list is an
entry labeled "Hide all items on Desktop": Check that box, exit the System
Policy Editor, and restart your system. Afterwards, Win 95's desktop will
be bare. This method has one annoying effect, though: Not only does everything
on your desktop disappear, but you can't right-click on the desktop to
open its context menu. Essentially, this system policy restriction turns
the desktop into an empty canvas.
There are three steps to the process. The first takes care of the Inbox, the Microsoft Network, Recycle Bin, and the Internet (if you have Plus! installed). The second creates an invisible My Computer icon (that is, you'll see only the words My Computer but no icon). And the third removes Network Neighborhood.
Open the Registry Editor, click on the HKEY_LOCAL_MACHINE key, and follow this path: \Software \Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace. Below the NameSpace key are the CLSID numbers for some special tool objects (not special folders) that are glued to your desktop. In most cases, you'll find Class IDs for Inbox, the Microsoft Network, and Recycle Bin. If you click on each CLSID number in turn, the name of the tool object becomes visible in the Registry Editor's right pane. (As an extra precaution, make a text file to copy and hold the CLSID numbers before you delete them.) Now highlight and delete each Class ID in NameSpace. That's all there is to it.
My Computer and Network Neighborhood, however, are hardwired into Win 95's code, specifically the SHELL32.DLL file. That's why the steps differ. To make My Computer invisible, move to the Registry's HKEY_CLASSES_ROOT\CLSID\ section and locate this entry: {20D04FE0-3AEA-1069-A2D8-08002B30309D}. Click on this CLSID number, and you'll see it's assigned to My Computer. Now click on the plus sign, then the DefaultIcon subkey. In the Registry Editor's right pane, double-click on the "ab" default entry. On most systems you should find this line: C:\WINDOWS\Explorer.exe,0. The zero at the end calls the icon in the EXPLORER.EXE file. Simply change the 0 to a 4. Close down the Registry Editor and check your desktop. What you should see is that My Computer is invisible except for its text label. If the value data next to the "ab" default entry reads C:\WINDOWS\SYSTEM\cool.dll,16, that means you have Microsoft Plus! installed. If so, just type C:\WINDOWS\Explorer.exe,4 as the value for the DefaultIcon in the Edit String dialog instead. Once that's done, close RegEdit.
The System Policy Editor handles the last step. Choose File|Open Registry. Double-click on the Local User icon and click on the plus signs beside Shell and then Restrictions. Halfway down, you'll see an entry labeled Hide Network Neighborhood. Check it, then close the System Policy Editor.
This method of removing Network Neighborhood is more assiduous than the "Hide all items on Desktop" option in the System Policy Editor. Unfortunately, it creates a barrier between the user and Network Neighborhood: You can still access network drives, but only if you've persistently mapped them in advance. Close the System Policy Editor, and return to your nearly blank desktop.
Finally, grab your invisible My Computer by the top edge of the icon and drag it to the bottom of the desktop so that the label is directly underneath the Start button and Taskbar. The label will disappear. Now, if you double-click on the desktop just above the Start button, My Computer appears.
To turn off User Profiles, reverse the steps you took to turn it on in Control Panel's Passwords applet, clicking on the radio button that reads "All users of this PC use the same preferences and desktop settings." When Windows restarts, you'll be back to the default profile, which resides in the .Default branch of the HKEY_USERS key in the Registry. (By the way, it's repeated in the HKEY_CURRENT_USER branch.) That's why it's a smart idea not to modify Local User before you add user profiles, unless there are modifications you'd like to make globally to all profiles.
When you turn off User Profiles, that's all you're doing. You're not deleting the individually named profile folders that Windows set up. Nor are you removing your profiles' settings in the Registry. It's reasonable to assume that Microsoft figures you might want to turn User Profiles back on later. But you should know how to get rid of profile settings fully after turning off User Profiles from the Passwords Control Panel. Run the Registry Editor and work your way down this branch: HKEY_LOCAL_ MACHINE\Software\Microsoft\Win-dows\CurrentVersion\ProfileList.
When you expand the ProfileList folder, you'll see entries for each profile name you've created, including your own, which Win 95 created when you first installed it. Right-click on and delete each in turn. Then close RegEdit and open the Profiles folder inside your Windows folder. Recycle everything you find in there. You need to do one more task to prevent the Welcome to Windows dialog from launching. When you build user profiles with passwords on a local system, separate password list (.PWL) files are created in the main Windows folder. Delete the .PWL files you find there, and restart the computer. You'll be prompted for a username and password, just as with your first installation of Win 95. Enter your name, but no password. A dialog will ask you one last time to confirm your name and nonpassword. Click on OK, and you'll never see the dialog again.
Finally, run the System Policy Editor to make sure your restrictions are set the way you want them. Got your Policies settings all screwed up, and you're not sure how to get back to square one? By default, the only check mark you should see in Local User is the one beside Wallpaper, under Desktop. Things vary in Local Computer, especially on a network. But here are the policy entries likely to have check marks: Network| Passwords|"Hide Share Passwords With Asterisks"; Network|Update| Remote Update; System|"Network Path For Windows Setup" (the field beside Path should contain the pathname to the drive and directory you installed Windows 95 from, such as E:\WIN95\); and System|Run. When you click on Run, then Show, be sure the following entries are included in the "Items to run at startup" listings: SystemTray should appear under Value Name, and SysTray.Exe should be its Value.
Both the Registry Editor and the System Policy Editor provide tools that can easily customize or cripple the Windows 95 operating system. That's why you can't take too many precautions when you're working with these utilities. But if you do choose to work with them, they will open up the operating system and give you greater control over how it interacts with users and your computing environment.
Maximum Method
Publicly accessible computers, such as those in schools, require a significant degree of security to prevent abuse. The Windows 95 CD-ROM provides the tool you need to implement restrictive policies on such machines in the form of the Policy Editor application. Unfortunately, the Windows 95 Resource Kit doesn't tell you how to use the Policy Editor for stand alone computers, so I developed a method of my own:
1.Prepare the System. Use Explorer to make backup copies of USER.DAT and SYSTEM.DAT, in case of emergency. make sure you have at least 10 MB free on the Windows 95 drive to hold user profile information.
2.Enable User Profiles. Launch the Password applet in Control Panel. Click the User Profiles tab, click the option Users can customize..., and check the two check boxes. Click OK; Windows will restart.
3.Create Profiles. When Windows restarts, log on as 'USER' and allow Windows to create folders to hold your profile information. Shut down and log on again as 'ADMINISTRATOR', with a suitably obscure password and again allow Windows to create profile folders. Don't forget this password !
4.Restrict User Access to Programs. While logged on as ADMINISTRATOR, use Explorer to navigate to C:\WINDOWS\PROFILES\USER\START MENU. In this folder, and those below it, delete any shortcuts to programs the user shouldn't be allowed to run, including every shortcut in the Recent folder. Be sure to delete shortcuts to the Policy Editor, Registry Editor and (optionally) Explorer.
5.Install Policy Editor. Launch the Add/Remove programs applet in Control Panel, click the Windows Setup tab and press the 'Have Disk' button. Navigate to the ADMIN\APPTOOLS\POLEDIT folder of the Windows 95 CD-ROM and install POLEDIT.INF. This will install POLEDIT and put it on the ACCESSORIES\SYSTEM TOOLS submenu of the Programs menu. It will also place the critical policy template file ADMIN.ADM in the C:\WINDOWS\INF folder. If you don't have the CD, you can download POLEDIT from http://www.microsoft.com or CIS MSWIN.
6.Define Default User Policy. Launch POLEDIT, create a new file and add new users named 'USER' and 'ADMINISTRATOR'. Double-click on the Default User icon, select System | Restrictions and check all four boxes. Select Shell | Restrictions and check the four boxes whose captions begin with Remove, plus the two that say Hide All Items on Desktop and Don't Save Settings at Exit. Do not check the Disable Shut Down command. Use Explorer to create a folder named DUMMY in the C:\WINDOWS\PROFILES folder. Back in POLEDIT, select Shell | Custom Folders and check all the boxes, filling in the dummy folder name you just created for those that require paths. Click OK and save the file as CONFIG.POL.
7.Define User Policy. Load the example policy file MAXIMUM.POL, click on the Default User icon and choose Copy from the Edit menu. Reload CONFIG.POL and click on the User icon and select Paste from the Edit menu. Double-click the User icon and choose Shell | Custom Folders. Click on the text of each check box in turn and, if an edit box appears below, replace C:\WINDOWS with C:\WINDOWS\PROFILES\USER. Make sure all boxes remain checked. Select Control Panel | Passwords and check the Restrict box; then check the other four boxes that appear below. Under Shell | Restrictions, check Remove Run command, Remove Find command, Hide Drive in My Computer and Don't Save Settings at Exit. Consult the Windows Resource Kit Help to determine what other restrictions you may wish to add, but be sure not to check Disable Shut Down command. Now go to the Shell | Restrictions and change any grey check boxes to blank.
8.Define Administrator Policy. Double click the Administrator icon and go through the entire list of restrictions, setting every check box to blank, not grey. This protects the Administrator Policy from being affected by the Default User policy.
9.Define 'no user' Policy. Log on again, but press Esc to close the log-on prompt. Run POLEDIT, select open Registry from the File menu and double click Local User. Apply all the same restrictions you applied to Default User. Then log on as 'ADMINISTRATOR' again.
10.Enable Policy Loading. Load CONFIG.POL in POLEDIT, open the Default Computer icon, select System and check Enable User Profiles. Under Network\Update, check Remote Update. Select Manual for the Update Mode and enter C:\WINDOWS\CONFIG.POL as your path. Save CONFIG.POL. Now select Open Registry form the File menu, double-click Local Computer and make the same change to the network update mode. Save changes and exit POLEDIT.
11.Test Policies. Log on as 'USER'; check that the policy restrictions you specified are in place. Now shut down, and log on again, but use a new name and password. There should be no icons on the desktop and no programs available(other than those you left there) from the Start menu. There should be nothing to do except but log on again. This time press [ESC] at the password dialog. Again you should have no option but to log out.
12.Protect your Policies. Log on as 'USER' and confirm that there is no way to run POLEDIT. For greater safety, change the file named ADMIN.ADM (in the C:\WINDOWS\INF folder) to something else. Use the DOS command ATTRIB to remove the read-only, hidden and system attributes from the file MSDOS.SYS (located in the root of your boot drive) and load it into notepad. Find the heading [OPTIONS] and add a line Bootkeys=0. Save the file and restore it's attributes. This change prevents the user from breaking out of Windows 95's boot process. Finally, if the system BIOS allows it, use it's SETUP program to disable booting from a floppy drive.
13.Take extra precaution. Install "shutdown", by unzipping into a temporary folder and right-clicking on the file INSTALL.INF and selecting "install" from the pop-up menu. Then allow all users of the computer to log in. Now, run the utility from the Start Menu and highlight the users you want to enable to log in.
Shutdown.zip
http://www.annoyances.org/win95/software.html When working with policy editor, any changes made to the default profile will be made to all profiles, and this isn't desired. So it's best to get used to typing in a username and password (or no password if you would like - just leave it blank the first time you logon) right now. Use a freeware utility called Robert's Shutdown that will disable people from using the default profile, and will prevent new users from logging onto the computer. Install this once all the profiles have been setup.