"Bombproofing" Win95 User PCs (III)

[Bill Moseley]

(This message was sent yesterday, but did not make it to the list for some
reason -- sorry if you receive a duplicate).

At 11:20 AM 4/25/96 -0700, you wrote:

>however,
>if a user uses the right mouse button and selects the floppy icon, the user
>can get access to Explorer and the rest of the hard drive!  Does anybody
>know how to disable Explorer?

I tried to disable these right-mouse features in the registry, but is seems
like running Explorer is hard wired.  It is simple enough to *add* items to
this menu, but Explore, Open, and Find seem to be built into the Explorer shell.

Another failed route:

By using the registry, you can specify what programs are allowed to run --
attempting to run a non-listed program results in an error message.

One would hope that you could specify the program(s) to run, Netscape, for
example, and leave out Explorer to prevent its use.  But, since Explorer is
also the shell program (the program that displays the desktop, Start menu,
task bar, etc.) and therefore already running in memory, the restrictions
don't apply to it -- it will run.

So, it seems at this point that not using Explorer as the shell is the best
solution -- use Program Manager instead.  

Running Program Manager as the shell has a couple of advantages:  First,
your interface looks like Windows 3.1, so if you are running both 3.1 and 95
computers, your interface will look the same.  (Even looks like NT's
interface).  Second, this disables many of the "features" of Windows 95 that
are a problem for a public access computer (dragging files onto the start
menu, access to "My Computer" icon, right-mouse on the taskbar or on the
desktop, and starting Explorer by clicking on a directory or drive.  Many of
these features can be disabled in the registry, but changing to the Program
Manager shell takes care of most.

I would hope that in Windows 95 you could specify the shell in the registry
(or using policies), but no.  You have to modify the SYSTEM.INI file just
like in Windows 3.1.

Note about using the RestrictRun feature:

Although the RestrictRun feature sounds great (it can be a big help in
securing a public access computer) be aware of how easy it is to get around.
When you specify the allowable programs in the registry, you only specify
the file name -- not the full path name.  What this means is that all
someone has to do is rename Explorer or command.com to "netscape.exe" and
gain full access to the computer.  I doubt many will figure this out, though.

One other thing to watch out for is the Windows 95 help (off the Start
menu).  Many programs and Control Panel "applets" can be accessed directly
from the help menu.


Sorry about the long message.  If interested, here are the keys for
restricting what progams can run:

This key enables the program restriction:

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\Expl
orer]
"RestrictRun"=dword:00000001

and this key specifies which program may run:

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\Expl
orer\RestrictRun]
"1"="netscape.exe"
"2"="eudora.exe" 



Bill Moseley
mailto:moseley at netcom.com