How can I totally secure a pc so a user can only run 1 program


I would like to secure a pc (running windows xp pro) so a certain user can only run 1 game.
So he shouldn't do anything else on the pc.
Can I use local security templates?

He shouldn't access the registry, the c-drive, .... nothing.

When he exits the game, he should only see the desktop with the game icon... .
He shouldn't even be able to access the start button.

How can I do this pls?

ps, the user HAS access to the keyboard and mouse ...
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi T-Quest,
Well, all right, you need to use group policy. If you only want to do this on the local machine, do this. Start>Run>MMC. Then once you are in the console click "Console">"Add/Remove Snapin">Add>Group Policy. Then hit ok. From there go to User Configuration>Administrate Templates. There you will find all the things you need. You can put a shortcut to the game on his desktop and remove EVERYTHING, including the start menu and ability to right click on the desktop or use keyboard shortcuts to access the "run" menu and all that.

Next, go to %systemroot%\system32\GroupPolicy , and go to the permissions of that folder and DENY the Administrators "read" access to that folder and anyone else you DO NOT want to be "locked down." Or else the same thing will happen to you!


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Not possible on an XP Pro PC unless joined to the domain.  At least not with any built in functionality of XP, there may be a third party app that does this but I am not aware of any.  If it was joined to a domain a Group Policy could be created allowing access to only the game and denying access to anything else.  So clicking on any other program would cause an access denied message to appear.  This could be combined with hiding icons, and editing the start menu therefore providing few if any choices for the user to even see and none that will work.  However on a local XP Pro implementation setting a group policy will affect all users including the admin and cause irreversible setting access to only one program will mean that even the admin will only be able to access this one program as well.

This can also be done through terminal services but this is as well a server side implementation.

T-QuestAuthor Commented:
Hello NA,

Thx for the very good answer.
I do have one more problem though ....

When I disable read access for the admins, it doesn't have any affect.
I can't open the group policy anymore, because I denied read access, so that is ok.... but the group policy is STILL applied to the admins!
So when I logon as admin, I have restrictions .... what can I do about this?
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

T-QuestAuthor Commented:
already found it... I was doing fast user swicthing instead of logging of administrator .....
?Does denying read access to that folder work?  If a change needs to be made will he have to change permissions and then run gpedit.msc...and then change the permissions back again?  I didn't know this was possible but would suggest that you be careful as you can very easily lock yourself out if you forget to edit permissions or otherwise....though i do like the workaround...sure it will come in handy

No, it works fine. Yes, if you want to edit it you have to go back and change the permissions but you will not be editing it that often. You retain ownership, you simply deny yourself read and read&execute access.
Nice....I wish I had thought of that a while would have come in handy

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.