ATA Group Policy

I get a lot of questions about how to “lock down” workstations.

So, in the next series of tips, I’m going to give you some little strategic “base hits” for doing that.

Indeed, there’s s not a “magic bullet” toward true desktop lockdown. And, well, I also know SOME people tend to go “overboard” once they start tasting the sweet, sweet taste of “users not bothering them anymore.”

But, let’s (collectively) try not to go bananas as we implement some of these strategies. (What? People dealing with ‘Policy Control’ can sometimes go bananas once they start locking things down? Never!)

The Tip: Replacing your shell

So, in this first tip, I want to share a neat secret. Did you know you can “replace the shell” ? It’s true. You don’t NEED to use Explorer as your shell. How about “Calc” ?

Yep.. Login, and… Calc. Or Solitaire. Or, DogFoodMaker. That’s it. The only app running. Nothing else.

It’s possible.

Step 1: Choosing your shell

The policy is found under:

User | Policies | Administrative Templates | System | Custom User Interface

Enter in “c:\windows\system32\calc.exe” to try.

(I’m using hard coded paths, but you might want to use variables.)

Step 1A: A more useful shell

A more useful thing to do would be Internet Explorer, say, for cafeteria, library machines, and others.

Try entering in this (using quotes)
“C:\Program Files\Internet Explorer\iexplore.exe”

Step 2: Locking down your desktop a little bit

We want to make it so users cannot use task manager, or lock out the machine. Thankfully those options are located under:

User | Policies | Administrative Templates | System | CTL+ALT+DEL Options

You might also want to Turn off Windows hotkeys:

User | Administrative Templates | Windows Comp | Windows Explorer | ?Turn off Windows+X hotkeys?

Step 3: Lock down IE to your liking

There are a zillion options here. But some of my top favorites are

User | Administrative Templates | Windows Components | Internet Exp. | Browser Menus |

“File Menu: Disable open menu option”


File menu: Disable closing the browser and Explorer windows”

Other areas to explore and control are the: Toolbars and Internet Control Panel sections.

Now, you’ve quickly taken a machine, and made it “IE only” and “pretty well locked down.”

It’s not perfect. Users could still get to, say, the command prompt by typing in
“c:\windows\system32\cmd.exe” into the browser window.

But you’re almost home now, and that’s a pretty good start. Do you have group policy tips, tricks and how to’s to share? Well then hit up the comments and make yourself heard!

Written by Jeremy Moskowitz of