<div>
Thanks Rartemas for the prompt response.<br />
Your very useful suggestions had got me thinking a little bit more.<br />
Not having had too much experience with policies, can I run the following by you, please;<br />
Would the following be the way to go?<br />
1) Place the computer into a new OU. Attached to the new OU will be group policies to<br />
- to disable Internet Control Panel (in Computer Configuration)<br />
- remove Run command from Start Menu<br />
2) Move temporary folder for internet browser files to a network share with restricted access<br />
3) Read &amp;&nbsp;execute only access to Windows and Program Files folders for the local users<br />
<br />
With due respect, I seem to remember reading from some literature that the loading of policies is Site/Domain/OU/Local in that order. Consequently, would not Local policies take precedence, loading last? I am a bit confused...<br />
<br />
Your continued assistance would be very much appreciated. Thanks<br />
<br />

</div>


<div>
Sorry to jump in here but think of it a bit like this:<br />
<br />
Once it goes down the load order, policies are only loaded if the current state is not determined (neither allow/deny for example) <br />
<br />
For example, if higher up the load chain a policy is set, it cannot be un-set by policies lower down the chain, like Deny takes precedence over Allow in access permissions; Just because you may be &nbsp;granted rights in a different place in the chain, the Deny is always at the top and gets evaluated first, like Site policies. Thats why you see &quot;Current setting&quot; and &quot;Effective setting&quot; in the &quot;Local Security Policy&quot;. What you have set locally, may not be in force due to higher up the chain.
</div>


<div>
Garychu<br />
<br />
TheRabbi is correct with the order of applying policy. It is basically first come, first served.<br />
<br />
<br />
What you suggest is possible. For point 2 you will need to set up folder redirection.<br />
<br />
Links for assistance with redirection:<br />
<a href="http://technet2.microsoft.com/windowsserver/en/library/2b24872a-05ca-41be-9887-33acc87a20561033.mspx?mfr=true" rel="ugc nofollow">http://technet2.microsoft.com/windowsserver/en/library/2b24872a-05ca-41be-9887-33acc87a20561033.mspx?mfr=true</a><br />
<br />
<a href="http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html" rel="ugc">http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html</a><br />
<br />

</div>


<div>
Thank you very much gentlemen.<br />
In particular, the links to some useful resources.<br />
I think I have enough to give it a go.<br />
Cheers
</div>


<div>
<div class="content wysiwyg-content">
Scenario: An XP Pro workstation computer joined to a Windows 2003 SBS network domain.<br />
Objective: To disable any user at this computer, except for local administrator/domain admins, access to delete browser history.<br />
Hide or denying access to inetcpl.cpl in the Control Panel would suffice.<br />
If this can be done via the local computer GPO, I need help to ensure that it is done properly. In particular,<br />
1) Local administrator / domain admins must not be denied access<br />
2) Presumably local policies will take precedence over group policies?<br />
3) What happens if user uses another browser eg Firefox instead. Does that mean user should also be denied rights to install programs?<br />
4) User should of course be denied access to gpedit.msc as well<br />
<br />
There may well be other considerations.<br />
Any suggestions, tips pointers to resources would be gratefully received.<br />
Thanks
</div>
</div>


Scenario: An XP Pro workstation computer joined to a Windows 2003 SBS network domain.
Objective: To disable any user at this computer, except for local administrator/domain admins, access to delete browser history.
Hide or denying access to inetcpl.cpl in the Control Panel would suffice.
If this can be done via the local computer GPO, I need help to ensure that it is done properly. In particular,
1) Local administrator / domain admins must not be denied access
2) Presumably local policies will take precedence over group policies?
3) What happens if user uses another browser eg Firefox instead. Does that mean user should also be denied rights to install programs?
4) User should of course be denied access to gpedit.msc as well

There may well be other considerations.
Any suggestions, tips pointers to resources would be gratefully received.
Thanks

Deny user access to delete browser history

Microsoft Windows XP is the sixth release of the NT series of operating systems, and was the first to be marketed in a variety of editions: XP Home and XP Professional, designed for business and power users. The advanced features in XP Professional are generally disabled in Home Edition, but are there and can be activated. There were two 64-bit editions, an embedded edition and a tablet edition.

Windows XP

The Microsoft Legacy Operating System topic includes legacy versions of Microsoft operating systems prior to Windows 2000: All versions of MS-DOS and other versions developed for specific manufacturers and Windows 3/3.1, Windows 95 and Windows 98, plus any other Windows-related versions, and Windows Mobile.

Microsoft Legacy OS

This topic area includes legacy versions of Windows prior to Windows 2000: Windows 3/3.1, Windows 95 and Windows 98, plus any other Windows-related versions including Windows Mobile.