How can I totally secure a pc so a user can only run 1 program


I would like to secure a pc (running windows xp pro) so a certain user can only run 1 game.
So he shouldn't do anything else on the pc.
Can I use local security templates?

He shouldn't access the registry, the c-drive, .... nothing.

When he exits the game, he should only see the desktop with the game icon... .
He shouldn't even be able to access the start button.

How can I do this pls?

ps, the user HAS access to the keyboard and mouse ...
Who is Participating?
NetworkArchitekConnect With a Mentor Commented:
Hi T-Quest,
Well, all right, you need to use group policy. If you only want to do this on the local machine, do this. Start>Run>MMC. Then once you are in the console click "Console">"Add/Remove Snapin">Add>Group Policy. Then hit ok. From there go to User Configuration>Administrate Templates. There you will find all the things you need. You can put a shortcut to the game on his desktop and remove EVERYTHING, including the start menu and ability to right click on the desktop or use keyboard shortcuts to access the "run" menu and all that.

Next, go to %systemroot%\system32\GroupPolicy , and go to the permissions of that folder and DENY the Administrators "read" access to that folder and anyone else you DO NOT want to be "locked down." Or else the same thing will happen to you!

Not possible on an XP Pro PC unless joined to the domain.  At least not with any built in functionality of XP, there may be a third party app that does this but I am not aware of any.  If it was joined to a domain a Group Policy could be created allowing access to only the game and denying access to anything else.  So clicking on any other program would cause an access denied message to appear.  This could be combined with hiding icons, and editing the start menu therefore providing few if any choices for the user to even see and none that will work.  However on a local XP Pro implementation setting a group policy will affect all users including the admin and cause irreversible setting access to only one program will mean that even the admin will only be able to access this one program as well.

This can also be done through terminal services but this is as well a server side implementation.

T-QuestAuthor Commented:
Hello NA,

Thx for the very good answer.
I do have one more problem though ....

When I disable read access for the admins, it doesn't have any affect.
I can't open the group policy anymore, because I denied read access, so that is ok.... but the group policy is STILL applied to the admins!
So when I logon as admin, I have restrictions .... what can I do about this?
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

T-QuestAuthor Commented:
already found it... I was doing fast user swicthing instead of logging of administrator .....
?Does denying read access to that folder work?  If a change needs to be made will he have to change permissions and then run gpedit.msc...and then change the permissions back again?  I didn't know this was possible but would suggest that you be careful as you can very easily lock yourself out if you forget to edit permissions or otherwise....though i do like the workaround...sure it will come in handy

No, it works fine. Yes, if you want to edit it you have to go back and change the permissions but you will not be editing it that often. You retain ownership, you simply deny yourself read and read&execute access.
Nice....I wish I had thought of that a while would have come in handy

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.