Remove/Prevent Editing of Shortcut Properties

  I don't want my users to be able to modify where shortcuts point to on their Windows XP workstations (such as by right clicking the shortcut, selecting properties, and modifying entries under the shortcut tab).  At the same time, though, I don't want to prevent them from, say, sending a shortcut of a document in their docs folder to the desktop (so removing the default explorer context menu isn't an option).  I'm running a domain, so methods are pretty flexible:  registry change, script, gpo setting that I've overlooked, custom adm template, whatever.  The following are acceptable solutions for me:

1.  Remove properties from the context menu of a shortcut (but properties must remain intact for everything else, just removed from .lnk files)
2. Remove the shortcut tab from the properties of the shortcut
3. Make everything on the shortcut tab (target, start in, etc.) non-editable by the end user, including removing the function of the buttons along the bottom or making them unclickable
4. Anything else that achieves what I'm looking for without removing required functionality.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Create your own shortcut as an compiled exe-file

AutoIt v3 is free an BASIC-like scripting language with compiler

Many Regards
Jorgen Malmgren

:o) Your brain is like a parachute. It works best when it's open
WerewolfTAAuthor Commented:
I don't think that's going to work for me.  Looking at it, it appears that I could do that for the shortcuts I supply, but I still want my users to be able to make shortcuts of their own documents, which they could then go into and edit.
The shortcuts that you produce with autoit can't be edited by your users. Rember, that the exe-file you produce with autoit only is a shortcut, that points excatly where you want.

Your users can still  - as they allways could -  produce their own shortcuts.
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

WerewolfTAAuthor Commented:
 Yes, but can the users still edit the shortcuts that they produce?  That's what I'm trying to stop in addition to editing the shortcuts I supply (and even if this solution does, since it creates an executable file, it unfortunately wouldn't work for me since they're not allowed to run any executable content from locations for which they have write rights unless I hash the file and specifically allow it, which wouldn't be possible if they're creating them).  

I want my users to be able to create shortcuts to their existing documents, but not to be able to edit them.  I've already stopped them from being able to create a new blank shortcut and fill in anything they want, but they can produce a shortcut to an existing file on their own (which I want them to be able to do) and then edit it (which I don't want them to be able to do) to point somewhere they're not otherwise allowed to access in the gui (because I've disabled the run command and hidden network neighborhood) such as a network path.  One of my users actually admitted to browsing through the network looking for open shares to see what was out there.  Hopefully, everything's secure, but just in case something's overlooked, I don't want them to ever even have the opportunity to find out.  And even though they can't just browse through the network anymore, we use bginfo to put the name and ip address on all the desktops so we can have the caller quickly id which computer they're on for support purposes, so it's pretty easy for them to find paths to search.

  I know that no matter what I do, if they're determined enough, they'll find a way to get around the security I've set up or break the XP install trying, but I want to make it as difficult as possible so hopefully most of them will give up.  Experience has shown that some of these people have way too much free time on their hands, not enough supervision, and a strong desire to perform tasks on their computer that they're not allowed or supposed to do.
A user creating a shortcut (or file or folder) is the owner of the shortcut. That's defined in the creator owner ntfs permission.

Default NTFS Permissions in Windows 2000;EN-US;Q244600
Describing the problems with your users, I see no other solution than

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WerewolfTAAuthor Commented:
Unfortunately, terminal services isn't an option for me.  However, since nothing else has been posted, and I believe your answer would work were that an option, I am going to go ahead and close this question and award the points to you, trywaredk.  
:o) Thank you for the points
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.