Link to home
Start Free TrialLog in
Avatar of ComputerWhatever
ComputerWhateverFlag for United States of America

asked on

I want to lock down Windows XP so the user can only access two things, IE to get to an internal application and a softphone app? Any ideas how I can accomplish this?

It is a call center and the only thing we want them to do is get into the softphone and the call center software.  I can restrict access to the web by just removing the dns servers but how can hide everything including the start button from the desktop so all they see is softphone and ie icon that takes them to their app?
Avatar of ComputerWhatever
Flag of United States of America image


I don't want a third party app.  thanks
You can do it using group policy

Start with this

But look at the other policies and see if they will be useful to you.

I'm assuming your part of a domain. In which case you want to implement the Software Restrictions Group Policy.

As far as keeping them from even hitting the start menu? I'm unsure but if you create the above group policy they won't be able to run anything else anyways.
Avatar of eNarc
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Will Szymkowski
I would also agree that Group policy would be the best way to accomplish this. You can disable most of these items from GPMC.msc. Under User Configuration>Administrative Templates you will fine Control Panel, Start Menu and Taskbar, System and a few more where you can customize quite a bit of settings.

One this you will not be abel to disable/remove is the start button (without 3rd party software). As Nutty has already said if applications are not able to use then even though they can access the start button they can't do anything.

Also, how are your users logging into the machine. Do you have a generic account or does every individual have their own account? I would suggest also doing a "Mandatory profile" and only have your Softphone Icon and IE icon on the desktop.

Having the mandatory profile will allow the desktop to be the same everytime the user logs on.

Implement Mandatory profile -

Hope this helps~!
Follow this guide to disable the start button:
Open regedit on the computer. Rename the key by placing a dash "-" in front of the GUID (i.e. {-5b4dae26-b807-11d0-9815-00c04fd91972}).

Removing the dash will make the start button functional again.
If you have any programming ability you can create an executable that displays a form with links that only do what you want. Then use policy or registry edits to set your executable as the shell for this computer or a specific user instead of the normal Windows Desktop.

remember Group Policy only works with windows xp pro, while steady state works on all xp version and does the same and greater thing, its very easy to use.
Thank you so much for pointing me towards this.  Although the group policy is good, I tried that and ended up locking myself as administrator out because the group policy effects all users on the machine.  steady state allows you to tell which users the lock down effects.  Thanks for the help.

This is an added benefit for you and others who are looking for a solution. Group policy also allows you to state which users the lock down affects via various methods. Applying the GPO to an OU that those users are contained in, while placing administrators ina  separate OU, is one way.

Group Policy also does not need to be installed on every computer and configured like SteadyState does but I digress and will just leave you with Microsoft's recomendation from the SteadyState handbook:

"Windows SteadyState provides administrators with an effective way to
restrict software, especially for a single shared computer or for a small
environment of shared computers. However, when administrators want
to centrally manage software restrictions across many computers or
users, we recommend that you set software restrictions by using Group
Policy Software Restriction Policies. Software restrictions that are
implemented by using Software Restriction Policies across a large
number of shared access computers on a given site, domain, or range of
organizational units are more efficiently administered than the restrictions
that can be implemented by using Windows SteadyState.
Software restrictions that can be applied by using Software Restrictions
Policies are identical to those restrictions that can be applied in
Windows SteadyState."