Remove/Prevent Editing of Shortcut Properties

Hello,
  I don't want my users to be able to modify where shortcuts point to on their Windows XP workstations (such as by right clicking the shortcut, selecting properties, and modifying entries under the shortcut tab).  At the same time, though, I don't want to prevent them from, say, sending a shortcut of a document in their docs folder to the desktop (so removing the default explorer context menu isn't an option).  I'm running a domain, so methods are pretty flexible:  registry change, script, gpo setting that I've overlooked, custom adm template, whatever.  The following are acceptable solutions for me:

1.  Remove properties from the context menu of a shortcut (but properties must remain intact for everything else, just removed from .lnk files)
2. Remove the shortcut tab from the properties of the shortcut
3. Make everything on the shortcut tab (target, start in, etc.) non-editable by the end user, including removing the function of the buttons along the bottom or making them unclickable
4. Anything else that achieves what I'm looking for without removing required functionality.
LVL 4
WerewolfTAAsked:
Who is Participating?
 
trywaredkConnect With a Mentor Commented:
Describing the problems with your users, I see no other solution than
http://www.microsoft.com/windows2000/technologies/terminal/default.asp
0
 
trywaredkCommented:
Create your own shortcut as an compiled exe-file

AutoIt v3 is free an BASIC-like scripting language with compiler
http://www.hiddensoft.com/autoit3/

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
WerewolfTAAuthor Commented:
I don't think that's going to work for me.  Looking at it, it appears that I could do that for the shortcuts I supply, but I still want my users to be able to make shortcuts of their own documents, which they could then go into and edit.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
trywaredkCommented:
The shortcuts that you produce with autoit can't be edited by your users. Rember, that the exe-file you produce with autoit only is a shortcut, that points excatly where you want.

Your users can still  - as they allways could -  produce their own shortcuts.
0
 
WerewolfTAAuthor Commented:
 Yes, but can the users still edit the shortcuts that they produce?  That's what I'm trying to stop in addition to editing the shortcuts I supply (and even if this solution does, since it creates an executable file, it unfortunately wouldn't work for me since they're not allowed to run any executable content from locations for which they have write rights unless I hash the file and specifically allow it, which wouldn't be possible if they're creating them).  

I want my users to be able to create shortcuts to their existing documents, but not to be able to edit them.  I've already stopped them from being able to create a new blank shortcut and fill in anything they want, but they can produce a shortcut to an existing file on their own (which I want them to be able to do) and then edit it (which I don't want them to be able to do) to point somewhere they're not otherwise allowed to access in the gui (because I've disabled the run command and hidden network neighborhood) such as a network path.  One of my users actually admitted to browsing through the network looking for open shares to see what was out there.  Hopefully, everything's secure, but just in case something's overlooked, I don't want them to ever even have the opportunity to find out.  And even though they can't just browse through the network anymore, we use bginfo to put the name and ip address on all the desktops so we can have the caller quickly id which computer they're on for support purposes, so it's pretty easy for them to find paths to search.

  I know that no matter what I do, if they're determined enough, they'll find a way to get around the security I've set up or break the XP install trying, but I want to make it as difficult as possible so hopefully most of them will give up.  Experience has shown that some of these people have way too much free time on their hands, not enough supervision, and a strong desire to perform tasks on their computer that they're not allowed or supposed to do.
0
 
trywaredkCommented:
A user creating a shortcut (or file or folder) is the owner of the shortcut. That's defined in the creator owner ntfs permission.

Default NTFS Permissions in Windows 2000
http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q244600
0
 
WerewolfTAAuthor Commented:
Unfortunately, terminal services isn't an option for me.  However, since nothing else has been posted, and I believe your answer would work were that an option, I am going to go ahead and close this question and award the points to you, trywaredk.  
0
 
trywaredkCommented:
:o) Thank you for the points
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.