I want to lock down Windows XP so the user can only access two things, IE to get to an internal application and a softphone app?  Any ideas how I can accomplish this?

Posted on 2010-09-03
Last Modified: 2012-05-10
It is a call center and the only thing we want them to do is get into the softphone and the call center software.  I can restrict access to the web by just removing the dns servers but how can hide everything including the start button from the desktop so all they see is softphone and ie icon that takes them to their app?
Question by:ComputerWhatever
  • 3
  • 2
  • 2
  • +4

Author Comment

ID: 33597089
I don't want a third party app.  thanks
LVL 24

Expert Comment

by:Mike Thomas
ID: 33597103
You can do it using group policy

Start with this

But look at the other policies and see if they will be useful to you.


Expert Comment

ID: 33597151
I'm assuming your part of a domain. In which case you want to implement the Software Restrictions Group Policy.

As far as keeping them from even hitting the start menu? I'm unsure but if you create the above group policy they won't be able to run anything else anyways.

Accepted Solution

eNarc earned 250 total points
ID: 33597439
thre is a microsoft application called Windows SteadyState, and its perfect for locking a user to apps and what they can or can not do.

Expert Comment

ID: 33597464
LVL 53

Expert Comment

by:Will Szymkowski
ID: 33597539
I would also agree that Group policy would be the best way to accomplish this. You can disable most of these items from GPMC.msc. Under User Configuration>Administrative Templates you will fine Control Panel, Start Menu and Taskbar, System and a few more where you can customize quite a bit of settings.

One this you will not be abel to disable/remove is the start button (without 3rd party software). As Nutty has already said if applications are not able to use then even though they can access the start button they can't do anything.

Also, how are your users logging into the machine. Do you have a generic account or does every individual have their own account? I would suggest also doing a "Mandatory profile" and only have your Softphone Icon and IE icon on the desktop.

Having the mandatory profile will allow the desktop to be the same everytime the user logs on.

Implement Mandatory profile -

Hope this helps~!
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.


Expert Comment

ID: 33597843
Follow this guide to disable the start button:

Expert Comment

ID: 33597865
Open regedit on the computer. Rename the key by placing a dash "-" in front of the GUID (i.e. {-5b4dae26-b807-11d0-9815-00c04fd91972}).

Removing the dash will make the start button functional again.

Expert Comment

ID: 33600320
If you have any programming ability you can create an executable that displays a form with links that only do what you want. Then use policy or registry edits to set your executable as the shell for this computer or a specific user instead of the normal Windows Desktop.


Expert Comment

ID: 33600817
remember Group Policy only works with windows xp pro, while steady state works on all xp version and does the same and greater thing, its very easy to use.

Author Closing Comment

ID: 33605405
Thank you so much for pointing me towards this.  Although the group policy is good, I tried that and ended up locking myself as administrator out because the group policy effects all users on the machine.  steady state allows you to tell which users the lock down effects.  Thanks for the help.

Expert Comment

ID: 33605586

This is an added benefit for you and others who are looking for a solution. Group policy also allows you to state which users the lock down affects via various methods. Applying the GPO to an OU that those users are contained in, while placing administrators ina  separate OU, is one way.

Group Policy also does not need to be installed on every computer and configured like SteadyState does but I digress and will just leave you with Microsoft's recomendation from the SteadyState handbook:

"Windows SteadyState provides administrators with an effective way to
restrict software, especially for a single shared computer or for a small
environment of shared computers. However, when administrators want
to centrally manage software restrictions across many computers or
users, we recommend that you set software restrictions by using Group
Policy Software Restriction Policies. Software restrictions that are
implemented by using Software Restriction Policies across a large
number of shared access computers on a given site, domain, or range of
organizational units are more efficiently administered than the restrictions
that can be implemented by using Windows SteadyState.
Software restrictions that can be applied by using Software Restrictions
Policies are identical to those restrictions that can be applied in
Windows SteadyState."

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Move XP PC to Vmware 22 139
URL to download Windows 10 Home 2 135
Archive .pst - Why my archive has only Inbox folder? 5 82
What is this Task? 4 87
Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now