Im looking for registry change to disable "tcp/ip properties" access to prevent users for changing ip address

I just want to disable tcp/ip properties access to my users, actually all the computers are in a workgroup (not a domain), so my toughs are that maybe i can do it through some registry change or changes, do some one have experience on this?

many thanks in advance

Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

Andrej PirmanConnect With a Mentor Commented:
Probably the most smart idea would be to give all users only limited privileges, like put them into Power Users group, instead of Administrators group. Since only administrator can change TCP/IP settings, this would do what you wish, and also disable users from doing system-wide damage to the computer. And not last, goint this way user's computers will be less vunerable to malicious code and infections.
The only disadvantage is that you will need to be present when installing new software, using simple "Run As..." technique to run installations under Administrator privileges.

If this is not an option for you, you can prohibit access to Network settings for ALL users, including Administrator, on particulat machine. Don't forget to setup TCP/IP properties BEFORE you lock you out.
Run gpedit.msc from "Run" prompt,
and navigate to /User configuration/Administrative Templates/Network/Netowrk Connections/
Here *I think* the needed changes are to ENABLE the following two or three settings:
- "Prohibit access to properties of components of a LAN configuration"
- "Prohibit TCP/IP advanced configuration"
- "Prohibit Access to properties of LAN connection"
I am not sure about minimum keys needed, because for changes to take effect you need to restart the computer, so I did not test too much.

Hope this helps.
You can set it as a local group policy on each machine. I am not sure the registry settings to change but I know you can go to Start --> Run and type gpedit.msc. That will bring up the local group policy editor. You could remove it there.
fizzerianoAuthor Commented:

Yes i can change it  there, but i  dont know wich policies to enable, in order to prevent users, even if they have admin rights, to access ip properties, of course admins with gpedit knowledge can turn off-and-on the feature, thats the general idea of what i look for

thanks for your help
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

fizzerianoAuthor Commented:
Just want to ad the i must choose "disable access for admin also in gpedit"
Try using a security policy:

 - click start and run
 - type gpedit.msc, hit OK
 - go to:
     User Configuration\Administrative Templates\Network\Network and Dial-up Connections
 - look for these two objects:
     Enable Windows 2000 Network Connections settings for Administrators
     Prohibit access to properties of components of a LAN connection
 - double-click both objects and change to "Enabled"
 - click Apply and close the editor
 - I don't think you have to restart (but you might)

Good luck!
Andrej PirmanCommented:
Regarding Jemiii's advice, here is copy-paste from "Prohibit access to properties of compontents of a LAN connection" tab:
If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties button is disabled for Administrators. Network Configuration Operators are prohibited from accessing connection components, regardless of the "Enable Network Connections settings for Administrators" setting.
All Courses

From novice to tech pro — start learning today.