Windows XP Group Policy Application Full Handbook Sun Yuan Zhang Yan Appendix Article
For most computer users, the management of computers is basically achieved with certain third-party tools, or even hand-modifying the registry. In fact, Windows XP Group Policy has set these functions to integrate, through group policies and related tools, you can fully implement the features we need.
I. Group Policy Foundation 1. What is the Group Policy Registry is a database that saves system software and application software configuration in a Windows system, and more and more configuration items in the registry, a lot of configuration projects in the registry, a lot of configuration items in the registry The configuration can be customized, but these configurations are distributed in the various corners of the registry, and if it is hand-configured, it is imagined how difficult and annoying. The group policy collects the important configuration functionality into a variety of configuration modules for direct use of the user, thereby achieving the purpose of facilitating managing the computer.
In fact, it is simply that the Group Policy setting is the configuration in the registry. Of course, group strategies use a better management organization method, can manage and configure settings in various objects, far more, flexible, flexible, and functionality than manually modifying the registry.
2. Group Policy Versions know the "System Policy" concept for Windows 9x / NT users, in fact group strategy is the advanced extension of the system policy, it is developed from the "system strategy" of Windows 9X / NT. More management templates, more flexible settings objects and more features, which are currently used in Windows 2000 / XP / 2003 operating systems.
The operating mechanism of early system strategies is to define specific POL (usually config.pol) files through the Policy Management Template. When the user logs in, it rewrites the set value in the registry. Of course, the system policy editor also supports modifications to the current registry, and also supports connecting to the network computer and sets their registry.
The group strategy and its tools are directly modified to the current registry. Obviously, the network function of the Windows 2000 / XP / 2003 system is its largest feature, so its network function is naturally indispensable, so the group policy tool can also open a computer on the network to configure, and even open an Active. Directory (ie, site, domain, or organization) and set it. This is the previous "System Policy Editor" tool could not be done.
Of course, whether it is "system strategy" or "Group Policy", their basic principles are the corresponding configuration items in the registry, thus achieving the purpose of configuring the computer, only some of their operating mechanisms have changed and extension.
3. Running Group Policy in Windows XP In Windows 2000 / XP / 2003 system, the system has installed a group policy program default. In the Start menu, click Run Options, entered in the open dialog box. "GPEDIT.MSC" and determined to run the group policy. As shown in Figure 1.
Using the above method, the open group policy object is the current computer, and if you need to configure other computer group policy objects, you need to open the Group Policy as a stand-alone MMC management unit:
(1) Open the Microsoft Management Console (you can enter "MMC" directly in the "Run" dialog box of the Start menu).
(2) Click the "File → Add / Remove Management Unit" menu command, click the Add button in the open dialog box.
(3) In the "Available Independent Management Unit" dialog box, click the Group Policy option, and then click the Add button.
(4) In the Select Group Policy Object dialog box, click the Local Computer option to edit the local computer object, or by clicking Find the Group Policy Objects you want.
(5) Click the "Finish" button, the Group Policy Management unit opens the group policy object to be edited.
(6) Location in the left pane, you need to change the option to change, right-click the specific option you need to change, click the Properties command, you can open its property dialog, from "Enabled" "," Unconfigured "," Disabled "options can manage computer policies. 4. Management Templates in Group Policy include several ADM files in Windows 2000 / XP / 2003. These files are text files, called "Management Templates", providing policy information for projects under the "Administrative Template" folder in the control tree of the Group Policy Management unit.
In Windows 2000 / XP / 2003, the default admin.adm management template is located in the INF folder of the system folder, which contains four template files under default installation, respectively:
(1) System.adm: The default is installed in Group Policy for system settings.
(2) inetres.adm: The default is installed in Group Policy for Internet Explorer (IE) policy settings.
(3) WMPLAYER. ADM: Used for Windows Media Player settings.
(4) conf.adm: Used for NetMeeting settings.
In the Policy Management Console, you can add "Policy Templates" multiple times. Let us take a look at the specific operation:
First run the "Group Policy" program, then select "Management Template" under Computer Configuration, "User Configuration", right-click, select "Add / Remove Template" command, then click in the open dialog box " Add a button, select the appropriate ADM file in the open dialog. Click the "Open", open the selected script file in the System Policy Editor and wait for the user to execute.
After returning to the main interface of the Group Policy Editor, open the directory "Local Computer Policy → User Configuration → Management Template" option, then click the appropriate directory tree, you will see the configuration generated by our newly added management template. Project.
Note: The following operation is performed in Windows XP.
Second, personalized my computer 1. Delete the "Document" menu item in the "Start" menu In a computer, some users do not want other users to see the documents or other information they have edited. Therefore, in order to delete the "document" menu item for recording historical documents, we can implement it by modifying group policies.
Location: / User Configuration / Management Template / Task Bar and "Start" menu /
Enable this setting, the system saves the "Document" shortcut, but does not display them in the Document menu. If you disable this setting or set it to unconfigured, the "document" shortcut saved when setting up settings and its validation will appear in the Document menu item. as shown in picture 2.
Note: This setting does not prevent the Windows program from displaying shortcuts in the recently opened document.
Alternatively, you can also set the history of the recently opened documentation when you exit the system.
Location: / User Configuration / Management Template / Task Bar and "Start" menu /
If you disable this policy setting, the system will delete shortcuts when the user exits. Therefore, when the user logs in, the document menu on the Start menu is always empty. If this setting is disabled or not configured, the system will keep the document shortcut, and the document menu when the user logs in appears exactly the same as the user exits the system.
Note: The system saves a document shortcut in the user profile in the / Documents and Settings /
2. Delete the "Run" menu item in the Start menu In the Start menu, you can enter the program name to start the program. We can delete the "Run" menu item from the Start menu.
Location: / User Configuration / Management Template / Task Bar and "Start" menu /
If this setting is enabled, the following changes:
(1) The "Run" command is removed from the Start menu.
(2) New task (run) command is deleted from the task manager. (3) Block the user from entering the next item in the IE address bar:
UNC path: //
Access local drive: For example, C:.
Access local folders: for example, / temp>.
At the same time, the "Run" dialog will not be displayed using the WIN R key. If you disable or do not configure this setting, the user can access the "Run" command for the Start menu and task manager, and use the IE address bar.
Note: This policy only affects the specified interface. Will prevent users from running programs using other methods.
3. Give the "Start" menu to lose weight If Windows's "Start" menu is too bloated, you can completely remove the unwanted menu item from the Start menu through Group Policy settings.
Location: / User Configuration / Management Template / Task Bar and "Start" menu /
In Group Policy Right Side pane, provide "Delete User Folder" from 'Start' Menu "," Delete to 'Windows Update' Access and Link ", from 'Start' menu to delete public program groups, from 'Start' menu Delete configuration items such as "My Document" icon. You only need to enable the policies corresponding to the unwanted menu items.
4. Hide and disable all items on your desktop This policy can delete icons, shortcuts, and other default and user-defined projects from your desktop.
Location: / User Configuration / Management Template / Desktop /
The policy deletes icons and shortcuts do not prevent users from using another method to initiate programs or open items represented by the icon and shortcuts.
5. When exiting, the user does not save the user settings the policy to prevent the user from saving some changes to the desktop.
Location: / User Configuration / Management Template / Desktop /
If you enable this setting, users can do some changes to the desktop, but some changes, such as the location of the icon and open the window, the location and size of the taskbar cannot be saved after the user is logged out.
6. Enable / disable the "Active Desktop" Active Desktop activity desktop is Windows 98 (and later version) or high-level features that own in the system of IE 4.0, which is the biggest feature of various pictures format wallpapers. And even display the web page as a wallpaper. But for safety and performance, sometimes we need to disable this feature (and prevent users from enable it).
Location: / User Configuration / Management Template / Desktop / Active Desktop
Tip: If the "Enable Active Desktop" settings and "Disable Active Desktop" settings are enabled, the "Disable Active Desktop" setting will be ignored. If the "Disable Active Desktop and Web View" settings (in "User Configuration / Management Templates / Windows Components / Windows Explorer") is enabled, Active Desktop will be disabled, and both strategies are ignored.
7. Remove Shared Welcome from "My Computer" When Windows users are in a working group, a "shared document" icon will appear in the "Other location" and "in this computer" in the Windows Explorer web view. Other files. With this setting, you can choose not to display these items.
Location: / User Configuration / Management Template / Windows Components / Windows Explorer /
If this setting is enabled, the Shared Document folder will not appear in a web view mode or in "My Computer". If you are disabled or not configured, when the user is part of the Workgroup, the Shared Document folder will appear in a web view mode or in "My Computer".
8. Do not move the deleted file to "Recycle Bin" When a file or folder in the Windows Explorer is deleted, the copy of the file or folder is placed in the "Recycle Bin". You can change this behavior using this policy.
Location: / User Configuration / Management Template / Windows Components / Windows Explorer /
If this setting is enabled, the file or folder deleted using the Windows Explorer will not be placed in the "Recycle Bin", so it is permanently deleted. If you disable or do not configure this setting, the file or folder deleted using the Windows Explorer will be placed in the "Recycle Bin". Third, using the Group Policy for system settings 1. When logging in, the welcome screen does not display the speed of the computer to start, we can use the Group Policy Settings Welcome to the Windows XP Welcome to Welcome to Wind Windows XP.
Location: / User Configuration / Management Template / System /
To display a welcome screen, click Start → Programs → Accessories → System Tools option, and then click the Start option. To display the welcome screen without specifying the settings, clear the "Start Display this screen" option in the checkbox on the welcome screen.
Note: This setting appears in the Computer Configuration and User Configuration folder. If this setting is configured, the settings in Computer Configuration are prioritized than the settings in the User Configuration.
2. Configuring the driver lookup location By default, Windows will search from local installation, floppy drives, optical drives, Windows Update, and other locations. This setting configuration finds the location of Windows to search for the driver when the configuration is found.
Location: / User Configuration / Management Template / System /
If this setting is enabled, you can delete anywhere in these three locations by checking the related check boxes of the location name. If you are disabled or not configured, Windows searches the driver from a local installation, floppy drive, optical drive, and Windows Update.
3. Turning off Auto Play Once you insert the media into the drive, automatically run it from the drive. This will cause the program's setup file and the music on the audio media begins immediately. This policy will turn off automatic operation.
Location: / User Configuration / Management Template / System /
If you launch this setting, you can also disable automatic running automatically or on all drives on all drives on all drives on the CD-ROM drive.
Note: This setting appears in the "Computer Configuration" and "User Configuration" two folders. If both settings are configured, the settings in Computer Configuration are prioritized than the settings in the User Configuration.
Alternatively, this setting does not prevent automatic playing music CD.
4. Run Licensed Windows Applications This policy allows users to run Windows programs.
Location: / User Configuration / Management Template / System /
If you enable this setting, users can only run the programs you join the "Allowed Application List".
This setting can only prevent users from starting programs from the Windows Explorer. Unable to prevent users from starting programs in other ways, such as task manager. If the user can access the command prompt window, this setting cannot prevent the user from starting from the command window that does not allow the program to run in the Windows Explorer.
Note: To create a list of allowed files, click the "Display" button, click the Add button in the open dialog, then enter the application's executive file name (for example, Winword.exe, Poledit.exe, PowerPNT . As shown in Figure 3.
5. Delete Task Manager When we press the Ctrl Alt DEL key button simultaneously to display the Windows Task Manager dialog. Task Manager allows users to start or terminate programs, monitor computer performance, view, and monitor all runs in the computer (including system services), search the program execution file name, and change the priority of the program. Here, we can delete the task manager through Group Policy.
Location: / User Configuration / Management Templates / System / Ctrl Alt DEL Options /
If this setting is enabled, and the user tries to start the task manager, the system will display a message, the interpretation is a policy to prohibit this operation.
6. Delete Change The Password option This policy prevents the user from changing the system password through the Task Manager.
Location: / User Configuration / Management Templates / System / Ctrl Alt DEL Options /
This setting deactures the "Change Password" button on the Windows Security Settings dialog. However, the user can still change the password when obtaining the system prompt. When the administrator requires the new password and password to be invalid, the user prompts the user to enter a new password. 7. Not allowed to run Windows Messenger Windows XP with chat tools Windows Messenger, but we may also install MSN Messenger in the system. This policy allows you to disable Windows Messenger.
Location: / User Configuration / Management Template / Windows Components / Windows Messenger
Windows Messenger will not run if the policy is enabled. Windows Messenger can be used if it is prohibited or not configured.
Note: If this policy is enabled, remote assistance cannot use Windows Messenger. In addition, this strategy will also appear in "Computer Configuration". If both settings are configured, the settings in Computer Configuration are prioritized than the settings in the User Configuration.
8. Off System Restore Function System Restore is the powerful function of integration in Windows XP / 2003. It is on the system running, and the system restores the files and data, if there is a problem, the system restore enables users to lose personal data files without losing personal data files. In the case, restore the computer to the previous state. By default, the system is restored to open.
But the cost of this feature is also quite large, and the system performance will decrease significantly, and the disk space will take much more. For a computer that is not high, it is highly recommended to turn off this feature.
Location: / Computer Configuration / Management Templates / System / System Restore / Off System Restore
Enable this setting to close the system restore function and cannot access the System Restore Wizard and Configure Interface.
Fourth, Using Group Policy Adjusts Internet Settings 1. Disable import and export Favorites prohibiting users from importing or exporting a collection of favorites using the Import / Export Wizard menu item.
Location: / User Configuration / Management Template / Windows Components / Internet Explorer
If this policy is enabled, the Import / Export Wizard menu item will not be imported / export the collection collar link and cookie. If you disable this feature or configure it, the user can import / export the favorites in the IE by clicking the Import and Export menu items on the File menu, then run the Import / Export Wizard.
Note: If this policy is enabled, the user can still view the Import / Export Wizard, but when the user clicks the "Complete" button, the prompt information that has been disabled will appear.
2. Disable the Settings of the Advanced tab Forbidden users from changing the settings on the Advanced tab in the Internet Options dialog.
Location: / User Configuration / Management Template / Windows Components / Internet Explorer
If this policy is enabled, the user cannot change the advanced Internet settings, such as safe, multimedia, and printing. The user cannot select the check box on the Advanced tab, and the check mark of these check boxes cannot be cleared. If you disable the policy or configure it, the user can select or clear the settings on the Advanced tab.
If you set the "Disabled Advanced Page" policy in / user configuration / management template / Windows Component / Internet Explorer / Internet Control Panel, you do not need to set this policy, because the "Disable Advanced Page" policy will delete "Advanced" on the interface. Tab.
3. Use the "Auto Detection" property to the dial-up connection Automatically detect the DHCP (Dynamic Host Configuration Protocol) or DNS server from the DHCP (Dynamic Host Configuration Protocol) or DNS server when the browser is started. This policy specifies the configuration of automatically detecting the dial settings for the user.
Location: / User Configuration / Management Template / Windows Components / Internet Explorer
If this setting is enabled, the automatic detection will configure the user's dial setting. If this configuration or is not configured, automatic detection does not configure the user's dial setting, unless the user specifies. 4. Disabling the Internet Connection Wizard prohibits the user from running the Internet Connection Wizard.
Location: / User Configuration / Management Template / Windows Components / Internet Explorer
If this policy is enabled, the "Connection" button on the "Connection" tab in the Internet Options dialog will go gray. Users can not run the Internet Connection Wizard by clicking "Connect to the Internet" icon on the desktop or click Start → Programs → Accessories → Communication, then click the Internet Connection Wizard. If you disable this policy or configure it, the user can change the connection settings by running the Internet Connection Wizard.
Note: This policy is similar to the "Disabled Connection Page" policy in the \ User Configuration \ Management Template \Windows Component \Internet Explorer \InterNet Control Panel, the latter will delete the Connections tab on the interface. Deleting the Connection tab from the interface does not hinder the user from running the Internet Connection Wizard from the Desktop or Start menu.
5. Disable the auto-completion feature of the form prohibits the IE auto-completion form, such as filling out the name or password you have entered in the web page.
Location: / User Configuration / Management Template / Windows Components / Internet Explorer
If this policy is enabled, the "Form" check box will be grayed. The Forms check box appears in the "Auto Direction" button on the "Content" tab in the Internet Options dialog. If you disable this policy or configure it, the user can enable the auto-completion of the form.
The "Disable Content Page" policy in the / user configuration / management template / Windows Component / Internet Explorer / Internet Control panel is higher than this strategy. If the "Disable Content Page" policy is enabled, the policy will be ignored because the "Disable Content Page" policy will delete the "Content" tab in the Internet Explorer Properties dialog box in Control Panel.
Note: If the user has started using a browser that enabled the form automatically completes the function, the policy is enabled, the user has not cleared the content that the user has filed in the form in the form.
6. Configure the media browsing bar Properties Media Browser Bar Play music and video content from Internet, which allows administrators to enable and disable media browser bars and setup default automatic playback.
Location: / User Configuration / Management Template / Windows Components / Internet Explorer
If the media browser bar is disabled, the user cannot display the media browser bar. Automatic playback function is also disabled. When the user clicks a link in IE, the default media client in the system will play content. If the media browser bar or does not configure, the user can display and hide the media browser bar.
Administrators can also turn on and off automatic playback. This setting is only applied only when the media browser bar is enabled. If you choose, the media browser bar will automatically display and play media content when the user clicks on the media link. If you do not choose, the default media client on the system will play content.
7. Disable Right-click Shortcut Menu Disable Shortcut Menu when the user is right-click in the IE process.
Location: / User Configuration / Management Template / Windows Component / Internet Explorer / Browser Menu
If the policy is enabled, the shortcut menu will not appear when the user points to the web page. If you disable the policy or configure it, the user can use the shortcut menu.
8. Custom IE Title Bars We can use the group policy customization in the text in the IE and OE title bar. OE title bar will be updated regardless of whether there is OE or OE on the package in the package.
Location: / User Configuration / Management Template / Windows Settings / Internet Explorer Maintenance / Browser User Interface / Browser Title
Please select the Custom Title Bar option in the open dialog box, and then type the desired text in the Title Bar Text box. Note: When you select a bitmap, make sure that the color of color is contracted with the text. This ensures a higher degree of readability for the user.
9. Custom IE Tools button We can use this policy to personalize the toolbar in IE, give you a certain flexibility and design opportunities. The elements that can be used include toolbar backgrounds for standard toolbar buttons (such as "search" and "history") and icon appearance.
Location: \ User Configuration \ Management Template \Windows Settings \Internet Explorer Maintenance \ Browser User Interface \ Browser Toolbar custom
In the open dialog box, click the Add button, and then in the Toolbar Title (Required "box in the Open dialog box, type the text that appears when the user's mouse hover on the toolbar button. The title or tag of the button must be specified. The recommended maximum length is 10 characters.
In the toolbar operation (as a script file or executable, required) box, type the script file or the name of the executable, or click the "Browse" button to find the file. You must specify a script file or executable that the user clicks the toolbar button.
In the Toolbar Color Icon (Required) box, type the name of the file indicating the button to active status, or click the "Browse" button to find the file. Must specify the color icon of the button appearing on the toolbar. The icon consists of 20 × 20 pixels of activity and non-active states.
In the Toolbar Gray Icon (Required) box, type the grayscale icon file name and location of the toolbar appearing on the black and white monitor, or click the "Browse" button to find the file. You must specify a grayscale icon displayed on the toolbar.
Check "By default, this button should be displayed on the toolbar" check box to display the toolbar button in the user browser by default.
5. Using Group Policy Setting Optimized Network Environments 1. Prohibiting access to the Network Connection Components The Local Connect Properties dialog box includes a list of network components used when connecting. To view or change the component properties, click the component name, and then click the Properties button below the component list, as shown in Figure 4. This policy determines if the user can change the component properties used by the network connection, which determines whether the "Properties" button for the network connection component is enabled.
Location: / User Configuration / Management Template / Network / Network Connection /
If you enable this setting (and Enable "Enable Network Connection settings for the Administrator), the Properties button is disabled for the administrator. Whether the "Enable Network Connection Settings for Administrators" setting is enabled or not, users cannot access the connection components. If you disable or do not configure "Enable Network Connection Settings for Administrators".
If you disable or do not configure this setting, the Properties button will be enabled for the user.
2. Disable the TCP / IP Advanced Configuration to determine if the user can configure TCP / IP settings.
Location: / User Configuration / Management Template / Network / Network Connection /
If this setting is enabled (and enable "Enable Network Connection settings for the Administrator), the Advanced button on the Internet Protocol (including administrator) is disabled for all users (including administrators). Therefore, users cannot open the Advanced TCP / IP Settings dialog and modify IP settings (for example, DNS, and WINS server information). If this setting is disabled, the Advanced button is enabled and all users can open the Advanced TCP / IP Settings dialog.
Note: This setting is replaced by the settings that disable access to connection properties or connection component properties. If these policies are set to reject the Connection Properties dialog or the "Properties" button for connecting components, the user cannot access the Advanced button for TCP / IP configuration. Regardless of this setting, non-admin users do not have access to TCP / IP advanced configurations for network connections. Change this setting from "Enable" from Enable until the user exits the system without enabled "Advanced" button.
3. Prohibiting the addition or removing the component "Install" button for network connection or remote access to the connection to open the dialog box for adding network components. Click the "Uninstall" button to delete the selected components in the component list. The Installation and Uninstall button appear among the "Properties" dialog used to connect. These buttons are located on the General tab and the Network tab. This policy determines whether the administrator can add and delete network components for network connections or remote access. Location: / User Configuration / Management Template / Network / Network Connection /
If this setting is enabled (and enable "Enable Network Connection settings for the Administrator), the" Install "and" Uninstall "buttons for connecting components are disabled, and users are not allowed to access network components in Windows Component Wizard. . If you disable or do not configure this setting, the "Install" and "Uninstall" button for connecting components in the Network Connection folder are enabled. Similarly, users can access network components in the Windows Component Wizard.
4. Prohibit the properties of the Internet connection, right-click the "Online Neighbor" icon, you can see the Properties menu item in the open shortcut menu, to open the Network Connection Properties dialog, which determines if the user can change the network connection Attributes.
Location: / User Configuration / Management Template / Network / Network Connection /
If this setting is enabled (and enable "Enable Network Connection settings for the Administrator), the Properties menu item is disabled for all users, and the user cannot open the Connection Properties dialog. If you disable or do not configure this setting, right-click the "Properties" menu item when you click the "Online Neighbor" icon. Similarly, when the user selects this connection, the "Properties" menu item on the File menu is enabled.
Note: This setting takes precedence over the availability settings of the function in the Local Connection Properties dialog. If this setting is enabled, users will not use any of the features of the properties dialog in the network connection.
5. Changing the properties of all users remotely access the connection This policy is used to determine if the user can view and change the properties of remote access to the computer all users available. This setting determines if the Properties menu item is enabled, and whether the remote access connection property dialog is available to users.
Location: / User Configuration / Management Template / Network / Network Connection /
If this setting is enabled, any user right-click the "Properties" menu item when you are using an icon for remote access. Similarly, "Properties" appears on the File menu when any user selects the connection. If you disable this setting (and enable "Enable Network Connection settings for the Administrator), the Properties menu item is disabled, and the user (including administrator) cannot open the Remote Access Connection dialog box. If this setting is not configured, only administrators can change the properties of all users remotely access the connection.
Note: This setting takes precedence over the availability settings of the function within the Connection Properties dialog box. If this setting is disabled, the user cannot use any of the features used to remotely access the connection connection.
6. Enable Windows XP Network Connection to the Administrator Set whether the policy determines if the existing settings in Windows XP apply to the administrator. By default, the Network Connection group setting in Windows XP does not have the ability to disable administrators.
Location: / User Configuration / Management Template / Network / Network Connection /
If this setting is enabled, the settings already existing in Windows XP will have the ability to block administrators from using certain features. These settings are included: "Rename the ability to use network connection or remote access connection", "Prohibit the properties of the network connection component", "Prohibit the properties of the remote access connection component", "Access TCP / IP Advanced Configuration capabilities, "Prohibit Advanced Setup Items on Advanced Menu", "Disabled Add and Remove Components for Network Connections or Remote Access Connections", "Prohibit Access to Network Connections", "Disable Enable / Disable Network Connecting components "," Change the ability of all users remotely accessing the properties "," Disable the Properties of Dedicated Remote Access Connections "," Disable Delete Remote Access Connections "," Delete All users' ability to remotely access the connection "," Disable connection And Disconnect Remote Access Connections, Enable / Disable Network Connections, "Prohibition of Access New Connection Wizard," Prohibit Renamed Dedicated Remote Access Connections "," Prohibition of Access Dial Parameter Selection on Advanced Menu ", "Disable the status of the activity connection". When this setting is enabled, the above settings are valid for the administrator's behavior. If you disable or do not configure this setting, the above settings will not apply to the administrator. Note: This setting is dedicated to the group policy objects that are being applied to these settings, including Windows 2000 and Windows XP computers, and must be the same network connection policy behavior between all Windows 2000 and Windows XP computers.
Six, carefully maintained system security 1. Prevent access from "My Computer" This policy prevents users from using "My Computer" to access the contents of the selected drive.
Location: / User Configuration / Management Template / Windows Components / Windows Explorer /
If this setting is enabled, the user cannot view the contents of the gene selected in "My Computer" or Windows Explorer. At the same time, it is also unable to use the run dialog, the mirror network drive dialog, or to view the directory on these drives using the DIR command. To take advantage of these settings, select a drive or several drives. To allow access to all drive directories, disable this setting or select "Do not limit the drive" option.
Note: The driver's icon will still appear in my computer, but if the user double-click the icon, a message interpretation will appear to prevent this. At the same time, this will not prevent the user from accessing the local and network drives from the user using programs.
2. Prohibit "Logout" and "Shutdown" When the computer starts, if you do not want the user to shut down and log out, you can complete the settings through Group Policy.
Location: / User Configuration / Management Template / Task Bar and "Start" menu /
This setting will delete the "Shutdown" option from the Start menu and disable the "Shutdown" option in the Windows Task Manager dialog (press Ctrl Alt DEL.). It is also important to note that this setting can prevent the user from shutting down with a Windows interface, but cannot prevent the user from shutting down with other third-party tool programs.
Tip: If the 'Logout' policy on the Delete 'Start' menu is enabled, the Show Logout project is also removed from the "Start 'Menu Option". The result is that the user cannot restore the "Logout
3. Block access command prompt to prevent the user from running the command prompt window (cmd.exe). This setting also determines whether the batch file (.cmd and .bat) can run on the computer.
Location: / User Configuration / Management Template / System /
If this setting is enabled, the user tries to open the command window, and a message will appear, explain the settings to block this operation.
Note: If your computer uses login, logout, start or close batch file scripts, it does not prevent your computer from running batch files; nor does it prevent users using terminal services from running batch files.
4. Block Access Registry Editing Tools This policy will disable Regedit.exe to disable the Windows Registry Editor.
Location: / User Configuration / Manage Template / System / If this setting is enabled, and the user attempts to start the Registry Editor, interpreting the message that sets the ban such operations will appear. To prevent users from using other system management tools, use the "Run License Windows Application" policy settings.
5. Prohibiting Access Control Panel Control Panel allows users to configure their computers, add, or delete programs and change settings. This policy is used to prevent the "Control Panel" from the launch of the "Control Panel" or run any "Control Panel" project.
Location: / User Configuration / Management Template / Control Panel /
The policy also removes the Control Panel menu item from the Start menu, and also deletes the Control Panel folder from the Windows Explorer. If the user wants to select a "Control Panel" item from the "Properties" option of right-click shortcut menu, a message indicates that the setting prevents this operation.
6. Hide the specified control panel program This policy removes the project (such as display) and folders from the control panel and the folder from the Control Layer and the Start menu. It can delete items of the control panel contained in Windows XP, or delete the control panel item you add in the system.
Location: / User Configuration / Management Template / Control Panel /
To hide a control panel project, in the Open dialog box, click the Enable option, and then click the "Show" button, in the open dialog box, click the Add button, enter the item File name, such as NCPA.cpl (for network). To hide a folder, enter the folder name, such as "font."
This setting only affects the Start menu and control panel window. It does not prevent users from using the Run dialog to run the control panel project.
Note: To find the file name of the control panel project, please find the extension of the .cpl file name in the / system32 directory.
7. Password Protection Screen Sword This Policy determines if the screen saver used on your computer is properly protected.
Location: / User Configuration / Management Template / Control Panel / Display /
If you enable this setting, all screen savers are password protected. If you disable this setting, password protection cannot be set on any screen saver. This setting also disables the "Panel Protection" check box in the "Display" in the "Display" item in Control Panel to prevent users from changing password protection policies. If you do not configure this policy, users choose to use password protection on each screen saver.
Note: This setting can only be used if you specify a screen saver on your computer.
7. Use a group policy to improve the Windows Entertainment Function 1. Prevent CD and DVD media information from retrieving the policy to prevent Windows Media Player 9.0 from running media information about CD and DVD from Internet. In addition, the "Privacy Options" tab of the Dialog box and the "Privacy" tab in the Player is not selected in the "Privacy" checkbox in the "Privacy" tab, and is not available.
Location: / User Configuration / Management Template / Windows Components / Windows Media Player
If this policy is not configured or disabled, the user can change the settings of the "Search CD and DVD Media Information" checkboxes from the Internet.
2. Prevent music file media information Retrieving this policy prevents Windows Media Player 9.0 automatically automatically get media information about music files (such as Windows Media Audio (WMA), and MP3). In addition, in the "Privacy" and "Privacy" and "Media" tabs of the dialog and players, "" WMA and MP3 files) "are updated by researched music files (WMA and MP3 files) by retrieving media information from Internet, and unavailable .
Location: / User Configuration / Management Template / Windows Components / Windows Media Player
If this policy is not configured or disabled, the user can change the settings of the "Music File (WMA and MP3 files) check box" by retrieved media information from the Internet.
3. Specify the streaming protocol This policy specifies that the protocol you can use in the Settings tab receive streaming media from the Windows Media server. This policy also specifies that the multicast stream can be received when the "Multicast" check box is selected in the Settings tab. If the "UDP" check box is selected in the Settings tab, and the "UDP Port" box is empty, Windows Media Player will play the content from the Windows Media server using the default port. If the "UDP" check box, the information in the "UDP Port" box will be ignored.
If no protocol is selected and the policy is enabled, the content from the Windows Media server will not be played.
Location: / User Configuration / Management Template / Windows Components / Windows Media Player / Network
If you enable or disable the policy, the "Flow Protocol" section in the "Network" tab of the Player will not be available. If the Hide 'Network' Tab policy is enabled, the entire "Network" tab will hide. If this policy is disabled, the player will not receive streaming from the Windows Media server. If there is a need to control the type of streaming, it is recommended to use other methods, such as firewalls. If the policy is not configured, the Hide 'Network' Tab policy is not enabled, the user can change the settings of the "Flow Protocol" section in the Network tab.
4. Configure the HTTP proxy This policy specifies the proxy server settings for the HTTP protocol. If this policy is enabled, you must select a proxy type (automatic detection, custom, or using the browser proxy server setting). Automatic detection, the system automatically checks the proxy server settings. Customize, even if the unique proxy server is set. Using browser proxy server settings means using a browser's proxy server settings.
If you select a custom proxy server type, you must specify the rest of the "Settings" tab because the proxy server does not have the default setting. These options can be ignored if "Auto Detect" or "Browser" is selected.
The Configuration button in the Player "Network" tab is invalid to the HTTP protocol, so the proxy server cannot be configured. If you also enable the Hidden Network tab policy, the entire "Network" tab is not visible.
If the "Stream Media Protocol" policy is enabled, the HTTP protocol is not selected, the policy will be ignored.
Location: / User Configuration / Management Template / Windows Components / Windows Media Player / Network
If this policy is disabled, the HTTP proxy server will not be able to use, and the user will not be able to configure the HTTP proxy server. If this policy is not configured, the user can configure the HTTP proxy server settings.
5. Configure the MMS Proxy Server This policy specifies the proxy server settings for the MMS protocol. If this policy is enabled, you must select a proxy type (automatic detection or custom). "Automatic Detection" means that the system automatically detects the proxy server settings. "Custom" means using the unique proxy server settings.
If you select a Custom Agent type, you must specify the rest of the Settings tab. Otherwise, the default setting will be used. If you select Auto Detection, these options will be ignored.
The Configuration button in the "Network" tab is unavailable and the protocol cannot be configured. If you also enable the Hide 'Network' Tab policy, the entire "Network" tab will hide.
If the "Stream Media Protocol" policy is enabled, the policy will be ignored.
Location: / User Configuration / Management Template / Windows Components / Windows Media Player / Network
If this policy is disabled, the MMS proxy server will not be able to use, and the user will not be able to configure the MMS proxy server settings. If the policy is not configured, the user can configure the MMS proxy server settings.
