Disable Windows Menu Options under Local Policy

Posted on 2002-05-26
Last Modified: 2010-04-13
I have a Standalone Windows 2000 Professional PC. How do I disable Menu options and not allow user/group to install any programs under local policy. i.e I would like to disable access to control panel, run command.

Please help
Question by:vb7guy
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 44

Expert Comment

ID: 7036471
Start > Run gpedit.msc

User Configuration > Sdminstrative Templates > Control Panel
double click on "Disable Control Panel" and enable the policy

Official Explaination
"Disables all Control Panel programs.

This policy prevents Control.exe, the program file for Control Panel, from starting. As a result, users cannot start Control Panel or run any Control Panel items.

This policy also removes Control Panel from the Start menu. (To open Control Panel, click Start, point to Settings, and then click Control Panel.) This policy also removes the Control Panel folder from Windows Explorer.

If users try to select a Control Panel item from the Properties item on a context menu, a message appears explaining that a policy prevents the action.

Also, see the "Disable Display in Control Panel" and "Disable programs on Settings menu" policies."

The Crazy One
LVL 44

Expert Comment

ID: 7036478
User Configuration > Administrative Templates > Windows Components > Windows Installer
Disable media source for any install.

Officail Explaination
"Prevents users from installing programs from removable media.

If a user tries to install a program from removable media, such as CD-ROMs, floppy disks, and DVDs, a message appears, stating that the feature cannot be found.

This policy applies even when the installation is running in the user's security context.

If you disable this policy or do not configure it, users can install from removable media when the installation is running in their own security context, but only system administrators can use removable media when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add/Remove Programs.

Also, see the "Enable user to use media source while elevated policy" in Computer Configuration\Administrative Templates\Windows Components\Windows Installer.

Also, see the "Hide the "Add a program from CD-ROM or floppy disk"" policy in User Configuration\Administrative Templates\Control Panel\Add/Remove Programs."

Always install with elevated privliges
Officail Explaination
"Directs Windows Installer to use system permissions when it installs any program on the system.

This policy extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add/Remove Programs in Control Panel. This policy lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers.

If you disable this policy or do not configure it, the system applies the current user's permissions when it installs programs that a system administrator does  not distribute or offer.

Note: This policy appears both in the Computer Configuration and User Configuration folders. To make this policy effective, you must enable the policy in both folders.

Caution: Skilled users can take advantage of the permissions this policy grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this policy is not guaranteed to be secure."

User Configuration > Administrative Templates > Start Menu & Taskbar
Remove Run menu from Start Meny.

Officail Explaination
"Removes the Run command from the Start menu and removes the New Task (Run) command from Task Manager. Also, users with extended keyboards can no longer display the Run dialog box by pressing Application key (the key with the Windows logo) + R.

This policy affects the specified interface only. It does not prevents users from using other methods to run programs."

Expert Comment

ID: 7045059
This person hasn't responded eh? Maybe he decided to play around with the newly discovered toy, gpedit that is, probably locked himself outta his machine...
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

LVL 44

Accepted Solution

CrazyOne earned 100 total points
ID: 7045085
Hehehe you got a good sense of humor jatcan. BTW my name is Spencer. Some of the experts here that know me usually refere to me as Crazy or Spencer. :>)

Author Comment

ID: 7058364
Sorry for the delay, I was busy working on another project.
This works, but When I used gpedit.msc under aministrator account and disable the control panel. It disables control panel for Every user on this PC including the Admin. How do I disable if just the regular users.

Expert Comment

ID: 7058876
Hey Guys,

Here is a list of Control Panle files and what they do/are. You can run them by clicking start button\run\<type in the control panel file name> and then click enter to execute the CP applet.

The following list shows the .cpl file that corresponds to each Control Panel tool.
   .cpl File                       Control Panel Tools
   ==============                  ======================
   Wspcpl32.cpl                    Languages, numbers,time
   Timedate. cpl                   Date Time and Time zone
   Telephon.cpl                    Dialing rule and modem
   Sysdm.cpl                       System
   Sticpl.cpl                      Scanner and camera
   Powercfg.cpl                    Power management
   Odbccp32.cpl                    Open database
   Nwc.cpl                         Netware client connectivity
   Ncpa.cpl                        Network and connectivity
   Mmsys.cpl                       Sound and multimedia
   Joy.cpl                         Game controller
   Intl.cpl                        International
   Access.cpl                      Accessibility
   Hdwwiz.cpl                      Add/Remove Hardware
   Main.cpl                        Mouse
   Netcpl.cpl                      Network and Dial-up Connectivity
   Modem.cpl                       Phone and Modem
   Mlcfg.cpl                       Mail
   Wspcpl.cpl                      WSP Client
   Desk.cpl                        Display
   Liccpa.cpl                      Licensing
   Fax.cpl                         Fax wizard
   Desk.cpl                        Printers      
   Appwiz.cpl                      Add/Remove Program

Hope this helps, cheers guys...oh Crazy, glad I could amuse someone ;->


Expert Comment

ID: 7058880

Can you look at this question please...

Expert Comment

ID: 12587560
"It disables control panel for Every user on this PC including the Admin. How do I disable if just the regular users."

anyone know how to do this without editing the registry? Im workin on extra credit and i can't edit the registry but i have to have the control panel available for the admin but not for other users.. We are sopposed to use the gpedit


Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article was initially published on Monitis Blog, you can read it here . When it comes to deciding which approach to website performance monitoring is best for your business, unfortunately, like so many options in life . . . it depends. In t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question