deny access to control panel for limited users

[Guest]

I have windows xp home and am administrator. Somehow my limited user accounts
have full access to the control panel and add/remove programs. I want to
disable this access but I am not at all computer literate. I have gotten into
the registry and can find the users profile but from that point I am not sure
what to do. Do I just type in "nocontrolpanel reg_dword 0x00000001
(1) " under what is already there? do I have to go in through thier account
to do this?

 

[Steven L Umbach]

Well if you set the necessary registry setting it will affect all users that
logon to the computer. Note that even though a non administrator may have
access to those items it does not means they can configure everything. A
user must be a local administrator to install/remove most software such as
that which writes to the system and program files folder. Probably the
easiest way to further lockdown other non administrator accounts in XP Home
is to use the free Microsoft Shared Computer Toolkit as described in the
links below. --- Steve

http://www.microsoft.com/windowsxp/sharedaccess/overview.mspx
http://www.windowsecurity.com/articles/Microsoft-Shared-Computer-Toolkit.html

 

[Guest]

Well if you set the necessary registry setting it will affect all users that
logon to the computer. Note that even though a non administrator may have
access to those items it does not means they can configure everything. A
user must be a local administrator to install/remove most software such as
that which writes to the system and program files folder. Probably the
easiest way to further lockdown other non administrator accounts in XP Home
is to use the free Microsoft Shared Computer Toolkit as described in the
links below. --- Steve

http://www.microsoft.com/windowsxp/sharedaccess/overview.mspx
http://www.windowsecurity.com/articles/Microsoft-Shared-Computer-Toolkit.html



Thank-you Steve...I did download the toolkit but it seemed much too involved for me. My problem is that my limited user and guest accounta ARE both able to use the 'add/remove programs' to remove any program. I think someone has changed the settings somehow to give this permission. I was hoping there would be an easy way to change this back. In the Registry editor under the users default, it says "Opened REG_dword 0X00000001 (1)" IS THIS SUPPOSED TO BE THERE?

 

[Steven L Umbach]

That does not sound right that an unprivileged user can remove applications
since that would mean the user would need delete permissions to the program
files and system folder which regular users do not have in a default
installation. Use the command net localgroup administrators to see what
users are members of the administrators group to see if it is what you
expect and if not make sure you adjust what users are local administrators
using Control Panel/user accounts/change account/user - account type. Beyond
all that you could try removing users from the permission list for the
appwiz.cpl file located in the windows\system32 folder or you can search for
it. See the link below on how to manage NTFS permissions if you are not
familiar as how to do it. In brief for XP Home you need to boot into Safe
Mode, logon as an administrator, locate the file, right click and select
properties/security, and remove users from the list leaving only
administrators and system. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;308418

 

[Guest]

That does not sound right that an unprivileged user can remove applications
since that would mean the user would need delete permissions to the program
files and system folder which regular users do not have in a default
installation. Use the command net localgroup administrators to see what
users are members of the administrators group to see if it is what you
expect and if not make sure you adjust what users are local administrators
using Control Panel/user accounts/change account/user - account type. Beyond
all that you could try removing users from the permission list for the
appwiz.cpl file located in the windows\system32 folder or you can search for
it. See the link below on how to manage NTFS permissions if you are not
familiar as how to do it. In brief for XP Home you need to boot into Safe
Mode, logon as an administrator, locate the file, right click and select
properties/security, and remove users from the list leaving only
administrators and system. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;308418





Thank-you very much for all the help Steve. I will try this. Just so you know...this person has been on my computer under my name a few times and knew the administrators password. That is how I thought the changes could have been made. He is also able to get into the registry with his limited user account.

 

[Steven L Umbach]

Well that would explain a lot if the user had administrator access. It is
possible for a regular user to edit registry keys that they have permissions
to such as some in HKCU. Other than managing group membership and
NTFS/registry permissions you are limited to what you can do in XP Home
since you can not edit local Group Policy which is why I recommended the
Shared Computer Toolkit. By default XP Home would have a blank password for
the built in administrator account that is only accessible in Safe Mode so
be sure it has a password that only you know and do the same for any other
user account that is a local administrator group. --- Steve