Windows Security Officer

Windows Security Officer

Version: 7.1.1.2 Report date: 6/28/2009 7:14:04 AM
Computer name: HEAVENH- Domain::User name: HEAVENH-RHWRV7M::Administrator
RHWRV7M

Windows Common Restrictions \ System

Restricting Access to The Windows NT event log contains records documenting application, security
the Event Logs and system events taking place on the machine. This tweak allows you to
restrict access to administrators and system accounts only.
* Stopping the In Windows NT, core operating system DLLs are kept in virtual memory and
KnownDLLs shared between the programs running on the system. This has exposed a
Vulnerability vulnerability thatcould allow a user to gain administrative privileges on the
computer the user is interactively logged onto.
Securing Network This setting determines whether data in the CD-ROM drive is accessible to
Access to CD-ROM other users. This value entry satisfies, in part, the C2 security requirement that
Drives you must be able to secure removable media.

Securing Network This setting determines whether data in the floppy disk drive is accessible to
Access to Floppy other users. This value entry satisfies, in part, the C2 security requirement that
Drives you must be able to secure removable media.

* Control the Automatic By default if the Windows NT user interface or one of its components fails, the
Restarting of the interface is restarted automatically, the can be changed so that you must
Shell restart the interface by logging off and logging on again manually.

Clear the Page File at Windows normally does not not clear or recreate the page file. On a heavy
System Shutdown used system this can be both a security threat and performance drop.
Enabling this setting will cause Windows to clear the page file whenever the
system is shutdown.
Disable Windows This restriction allows you to prevent users (not admins) from adding and
Installer removing software applications with Windows Installer.
Enable Remote The Remote Assistance feature is a convenient way for an administrator to
Assistance remotely connect to a computer and with permission view the screen, move
the mouse, use the keyboard and chat online.
Secure Desktop This restriction is used to stop interactive users from snooping on other user
Restriction sessions by exploiting a Windows vulnerability. This feature is enabled by
default but may interfere with some software applications.
* Enable Advanced File This setting is used to enable the ability to control advanced NTFS permissions
System and Sharing on local and shared files.
Security
Disable Menu Bars This tweak can be used to disable the menu bar in standard Windows
and the Start Button applications and the Start Button.
Disable Storage of This setting controls the storage of authentication credentials and .NET
Credentials and .NET passwords on the local system. By disabling this feature, passwords will not
Passwords be stored.

1 of 29
Windows Security Officer

Disable System System Restore allows users to revert Windows settings and configuration
Restore Tools and changes to an earlier point in time (called Restore Points). This tweak can be
Settings used to restrict user access to the System Restore tools and settings.

Disable Group Policy This setting is used to disable the use of group policy objects on the local
Objects computer.
Change Default Windows XP may assign the ownership of some file system objects to the
Administrator Administrator account, instead of the Administrators group. This behaviour
Ownership may not be desirable where there are multiple administrative users.

Secure Access to This setting determines whether the ability to access removable drives is
Removable Drives available to other users.

* Reboot Windows This parameter controls whether Windows should automatically reboot after a
After a Crash system failure or if the blue crash screen should be displayed.
Skip the Open With Normally when you attempt to open an unknown file type a popup message is
web service prompt shown asking whether you would like to use the online web service to find the
appropriate program to open the file. This setting allows you to disable this
prompt, causing the Open With dialog to display immediately.
Speed-up Access to Windows XP can run slowly when attempting to access a folder that contains
AVI Media Files a large number of AVI (Audio Video Interleave) media files. This tweak speeds
the process up by stopping Windows from extracting file information from
AVIs.
Show Detailed If you require additional information about a device that is not typically
Information in Device displayed in Device Manager, you can use this tweak to make Device
Manager Manager show detailed device information.

Show All Hidden Devices that are installed but are not currently connected to the computer
Devices in Device (such as a Universal Serial Bus (USB) device or 'ghosted' devices) are not
Manager normally displayed in Device Manager. This tweak causes all devices to be
shown.
Disable the Recycle This setting is used to disable the use of the recycle bin and permanently
Bin remove all deleted items instead. This enables the same functionality as
holding the Shift key while deleting items.
Disable the Creation This setting allows you to disable the creation of the LastKnownGood
of Last Known Good configuration, which stores a copy of the configuration after each successful
boot-up.
Automatically Ending When this tweak is enabled it will force Windows to shutdown immediately
Hung Applications ending all tasks without attempting to safely close any applications that have
hung.
Show Encryption You may find it easier to use the Encrypting File System (EFS) by placing
Commands on the 'Encrypt' and 'Decrypt' commands on the Windows Explorer context menu
Shortcut Menu when a file is right-clicked with the mouse.

Search for All File Windows normally only includes registered file types when searching for files
Types and folders. This tweak can be used to enable searching of all file types.
Manage Floppy If this setting is enabled, a user has full access to all drives on the system and
Access from can copy files from the hard drive to the floppy disk when using the Recovery
Recovery Console Console.

Enable NTP Time This setting is used to enable the local machine to act as a Network Time
Server Protocol (NTP) server. When enabled other machines can synchronise their
clocks with this machine.

2 of 29
Windows Security Officer

Windows Common Restrictions \ Network

Disable File Sharing When 'File and Printer sharing...' is installed it allows users to make
services available to other users on a network, this functionality can be
disabled by changing this setting.
Disable Printer Sharing When 'File and Printer sharing...' is installed it allows users to make
services available to other users on a network, this functionality can be
disabled by changing this setting.
Hide Share Passwords This setting controls whether the password typed when accessing a file
with Asterisks share is shown in clear text or as asterisks.
Disable Caching of Enabling this setting, disables the caching of the NT domain password,
Domain Password and therefore it will need to be re-entered to access additional domain
resources.
Automatic Hidden Shares This key controls whether the administration shares are created ie. c$ and
d$. Set this option to disable admin shares for a server and for a
workstation.
Disabling Save Password When you dial a phonebook entry in Dial-Up Networking (DUN), you can
option in Dial-Up use the 'Save Password' option so that your DUN password is cached
Networking and you will not need to enter it on successive dial attempts. This key
disables that option.
Hiding Servers from the If you have a secure server or workstation you wish to hide from the
Browser List general browser list, use this option.
Restricting Information Windows NT has a feature where anonymous logon users can list domain
Available to Anonymous user names and enumerate share names. Customers who want enhanced
Logon Users security have requested the ability to optionally restrict this functionality.

Disable File Caching for If you are experiencing problems with workstations flushing data to the
the Workstation Service server, then you can use this tweak to disable or enable file caching.
Use System-Wide Proxy This setting allows you to change the scope of the Internet proxy
Settings configuration and specify whether all users should share system-wide or
individual settings.
Delete Cached Copies of This setting enables Windows to delete the cached profile of any roaming
Roaming Profiles users when they log off the system. This will help to maintain profile
integrity and save disk space where that are numerous mobile users.
Disable the Printer Server When this option is enabled, the print spooler does not send shared
Browse Thread printer information to other print servers.
Control Automatic DNS This value disables that automatic cache updated from the DNS root
Server Cache Updates servers. Useful when there is a problem with the root servers, or if you
wish to completely control DNS updates.
Keep Remote When you log off from a Windows client any Remote Access Service
Connections Active After (RAS) connections will be automatically disconnected. Enable this setting
Logging Off to remain connected after logging off.

Disable Automatic Modem If remote connections are enabled in Windows, the system may try to
Connections at Startup initiate an Internet connection at Windows startup or at the start of many
applications. This setting disables that behaviour.
Disable SSDP Discovery Windows Messenger uses the Simple Service Discovery Protocol (SSDP)
in Windows Messenger to attempt to locate upstream Internet gateways on UDP port 1900. This
tweak allows you to disable Universal Plug and Play Network Address
Translation discovery to reduce bandwidth and increase security.

3 of 29
Windows Security Officer

Disable Network Bridge Windows XP includes a new feature called Network Bridge, which lets you
Feature connect disparate media types into one seamless network. This tweak
allows you to control forwarding and settings associated with this feature.
Disable Automatically Windows will normally attempt to detect the time-out on network links to
Detect Slow Network determine their speed (high or low). This functionality can be disabled if
Connections Windows is having problems determining the speed of your link.

Disable Web Printing This restriction enables and disables server support for Internet printing.
Internet printing lets you display printers on Web pages so they can be
viewed, managed, and used across the Internet or an intranet.
Disable Offload IP This setting is used to control whether IP Security (IPSEC) tasks should
Security Task Processing be offloaded to a network card with IP security capabilities.
Disable the Ability to It is possible for a malicious user to shut down a computer browser, or all
Remotely Shutdown the computer browsers, on the same subnet. If all of the computers on the
Computer Browser same subnet are shut down, they can then declare their own computer the
Service new master browser.

Disables DHCP Router The ICMP Router Discovery Protocol (IRDP) comes enabled by default
Discovery for Windows clients using DHCP. This can be a security issue because by
spoofing IRDP Router Advertisements, an attacker can remotely add
default route entries on a remote system.
Hide Computer from the If you have a secure server or workstation you wish to hide from the
Browser List general browser list, then enable this setting.
Disable Distributed Distributed Component Object Model, or DCOM, provides a method for
Component Object Model distributed network applications to communicate with one another. This
(DCOM) setting allow you to disable support for DCOM.

Remove the Map and Prevents users from making additional network connections by removing
Disconnect Network Drive the Map Network Drive and Disconnect Network Drive buttons from the
Options toolbar in Explorer and also removing them from the Context menu of My
Computer and the Tools menu of Explorer.

Windows Common Restrictions \ Login and Authentication

Stop the system Normally Windows Update will automatically reboot the system when you
automatically have your system configured to 'Automatically download recommended
rebooting after updates for my computer and install them' and one or more of those updates
Windows Updates requires a reboot. This settings changes the behavior so when users are
logged in the system will not automatically reboot.
Show Administrator on When logging into Windows the Administrator account is not normally
the Welcome Screen available on the Welcome screen. This tweak adds it to the Welcome screen
and allows you to login like a normal account.
Hide the Welcome This setting hides the welcome screen that is normally displayed each time
Screen the user logs on to Windows 2000 or XP Professional.
Show Options on This setting controls whether the options to enter a domain or to log on using
Logon Dialog Box a dial-up connection are shown on the Windows logon box.
Use Active This setting controls whether a full login should be performed when a
Authentication for workstation is unlocked or a password is used with the screen saver.
Unlock and Screen Normally Windows will not check some settings such as whether the account
Saver has been locked out.

4 of 29
Windows Security Officer

Allow Fast User Fast user switching allows you to quickly switch to another user account
Switching without having to close any programs. This setting controls whether fast user
switching is available.
Change the Login This setting controls which type of logon screen is shown, either the classic
Window to the classic Windows NT/2000 format or the Windows XP welcome screen.
Disable the Auto Logon When using the automatic login feature it is possible for a user to hold the
Shift Override Feature Shift key to bypass the login sequence and enter a username and password.
This feature disables the ability to override the function.
Customize the This setting allows you to add additional text to the title of the standard
Windows Logon and Windows Logon and Windows Security dialog boxes.
Security Dialog Title
Force the Use of Normally when a Windows machine is configured to automatically logon to a
Automatic Logon specified account users can bypass this and enter alternate account
information. This tweak forces the machine to auto logon and to ignore any
bypass attempts.
* Enable Shutdown from When this setting is enabled a Shutdown button is displayed in authentication
Authentication Dialog dialog box when the system first starts. This allows you to shutdown a
Box system without logging in. The button is shown by default on a workstation
and removed on a server installation.
Automatic Logon to Windows includes a feature that allows you to configure the computer to
Windows automatically logon to the network, bypassing the Winlogon dialog box.
Do not Display Last Enabling this key will blank the username box on the logon screen. Preventing
User Name people that are logging on from knowing the last user on the system.

* Automatic The recovery console is a command line environment that is used to recover
Administrative Logon from system problems. This setting controls whether the administrator
to Recovery Console account will be logged on automatically or be required to enter a password
when the recovery console is invoked during startup.
* Show Verbose Security This setting allows you to configure Windows so that you receive verbose
Status Messages startup, shutdown, logon, and logoff status messages. This may be helpful to
in troubleshooting slow startup, shutdown, logon, or logoff behaviour.
Require Users to Press This setting controls whether users are required to press Ctrl + Alt + Delete
Ctrl+Alt+Delete Before as a security precaution before logging into the system.
Logon

* Allow Portables to This setting controls whether users with portable computers have the option
Undock Before Logon to undock the system before they have logged onto the computer.
Disable the Lock Add this setting to the registry to stop unauthorized users from locking
Workstation Button machines from the Windows Security dialog box.
Change the Message You can personalize (or legalize) the message displayed on the logon box
Shown on the Logon above the user name and password.
Box
Require Alphanumeric Windows by default will accept anything as a password, including nothing.
Windows Password This setting controls whether Windows will require a alphanumeric password,
i.e. a password made from a combination of alpha (A, B, C...) and numeric
(1, 2 ,3 ...) characters.
Disabled Password Normally Windows caches a copy of the users password on the local system
Caching to allow for additional automation, this leads to a possible security threat on
some systems. Disabling caching means the users passwords are not
cached locally. This setting also removes the second Windows password
screen and also remove the possibility of networks passwords to get out of

5 of 29
Windows Security Officer

sync.
* Disable Send Plain When connecting to some SMB servers, such as Samba and LAN Manager
Text Passwords for UNIX, you may be required to send unencypted password. This setting
enables that functionality.
Prompt for Password This setting allows you to configure the computer to always lock and require
on Resume a password after resuming from hibernate or suspend mode.
Enable Quick Reboot This setting allows you to use the quick reboot function to restart Windows
immediately without shutting down. When enabled, press Shift + Ctrl + Alt +
Delete for a quick reboot.
Enable Shutdown The Shutdown Event Tracker provides a simple and standard mechanism you
Event Tracker can use to consistently document the reasons for shutting down or restarting
your computer. The information provided is recorded in the system log in
Event Viewer.
* Power the Computer This setting controls whether Windows should automatically power down or
Off After Shutdown reboot your computer once it has finished the shutdown process.

Windows Common Restrictions \ Internet

Use System-based Internet restrictions are normally dynamically loaded for each user, therefore
Internet Restrictions settings for one user do not affect the settings of another. This tweak forces
Windows to use the local machine settings rather than those of the current
user.
* Change the Default The setting allows you to change which program is opened and used to send
Mail Client an e-mail messages when you click on a 'mailto:' link in a web page.
Value: "C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE" -c IPM.Note
/m "%1"

Windows Common Restrictions \ Software Restrictions

Change the Search This tweak allows you to specify an alternate search assistant page, such
Assistant in Internet as Google, in Internet Explorer.
Explorer
Change the Default By default a Microsoft search page is shown when a user clicks on the
Internet Explorer Search 'Search' toolbar button in Internet Explorer. This tweak allows you to specify
Page an alternate search URL.

Remove Windows This tweak can be used to remove the integration of Windows Messenger
Messenger from into Internet Explorer. It will remove both the toolbar icon and Tools menu
Internet Explorer item.

Specify the Location of When a user selects 'Online Support' from the Internet Explorer help menu
the Online Support Site they are usually redirected to a Microsoft web page. This tweak allows you
to specify an alternate URL and web site.
Disable Netmeeting This setting enables the debug logging functions in Microsoft Netmeeting.
Logging This may be useful to diagnose faults or connection issues.

* Disable Auto Upgrade When Windows Media Player is used it will periodically check for newer
with Windows Media versions via the Internet. This tweak allows you to turn off this checking and
Player notification.

6 of 29
Windows Security Officer

Block Executable Outlook Express normally allows you to view and save all e-mail
Attachments in Outlook attachments. This tweak blocks executable files that potentially contain
Express harmful viruses.

Remove Windows This tweak is used to remove MSN Instant Messenger functionality and
Messenger from integration from Outlook Express.
Outlook Express
Disable the Ability to This tweak is used to specify whether HTTP mail servers, such as Hotmail,
Use HTTP Mail in can be used or created in Outlook Express.
Outlook Express
Disable Account This setting disables the ability for users to create or modify any mail, news
Changes in Outlook or directory accounts in Outlook Express.
Express
Change the Messenger When you start a chat in Windows Messenger a warning is shown that says
Warning Message 'Never give out your password or credit card number in an instant message
conversation'. This tweak allows you to customize this message for
example to display your company chat policy.
Disable Remote This setting allows administrators using Windows Terminal Services to
Administration of remotely install and configure software using Windows Installer.
Windows Installer
Disable Ability to Skip Normally if you hold the Shift key while Windows is loading you can prevent
Startup Programs the Startup applications from being launched. This setting disables the
ability to by-pass these programs.
Restrict Interactive Windows services normally have the option of interacting with the desktop,
Services to display information and accept input. For security reasons this tweak
allows you to restrict service interactivity.
Disable Universal Plug Windows XP includes support for Universal Plug and Play (UnPnP) which
and Play Services allows UnPnP devices to be connected over a network. There are currently
limited UnPnP devices available and due to a recent security flaw it may be
advisable to disable these services.

User Restrictions \ Control Panel \ Display settings

Disable the Display This option disables the display settings control panel icon, and stops
Control Panel users from accessing any display settings.
Hide the Background This option hides the background page, stopping users from changing any
page background display settings.
Hide the Screen Saver This option hides the screen saver page from the display settings control,
page which stops users having access to change screen saver settings.
Hide the Settings page This option hides the Settings page from the display properties control.
Hide the Appearance This setting, once enabled, hides the display settings appearance page.
page
Hide the Themes Settings This option hides the Themes tag which prevents the user from selecting
Page an alternate theme. Themes normally include a background plus sounds,
icons and other elements.
Disable the 'Windows and This option hides the 'Windows and buttons' style control.
buttons' style control

7 of 29
Windows Security Officer

Disable the 'Color This option hides the 'Color scheme' control.
scheme' control
Disable the 'Font size' This option hides the 'Font size' control.
control
Hide the Keyboard This restriction disables the 'Hide keyboard navigation indicators until I use
Navigation Settings the ALT key' option in the Display Control Panel.
Restrict Changes to This restriction prevents users from selecting the option to animate the
Animation Settings movement of windows and menus.

User Restrictions \ Control Panel \ Control Panel Applets

not found any tweak

User Restrictions \ Control Panel \ Internet options

Disable the Internet Disable the Internet Options

Options
Don't allow to change the Don't allow to change the Home Page in the Internet Options
Home Page
Disable the General Tab Disable the General Tab in the Internet Options
Disable the Security Tab Disable the SecurityTab in the Internet Options
Disable the Content Tab Disable the Content Tab in the Internet Options
Disable the Connections Disable the Connections Tab in the Internet Options
Tab
Disable the Privacy Tab Disable the Privacy Tab in the Internet Options
Disable the Programs Disable the Programs Tab in the Internet Options
Tab
Disable the Advanced Disable the Advanced Tab in the Internet Options
Tab
Disable Password When you attempt to view a password-protected site, you are normally
Caching in Internet prompted to type your username and password with an option to 'Save this
Explorer password in your password list'. This tweak can be used to disable the
ability for users to save passwords.
Disable all options under Disables all options under Accessibility.
Accessibility
Disable changing Prevents changing Personal Certificate options.
Personal Certificate
options
Disable changing Prevents changing Publisher Certificate options.
Publisher Certificate
options
Disable changing Site Prevents changing Site Certificate options.
Certificate options

8 of 29
Windows Security Officer

Disable changing Prevents changing Security Levels for the Internet Zone.
Security Levels for the
Internet Zone
Disable adding Sites to Prevents adding Sites to any zone.
any zone
Disable changing privacy Prevents changing privacy settings.
settings
Disable AutoComplete Prevents AutoComplete for forms.
for forms
Disable Prompt me to Prevents Prompt me to save password from being displayed.
save password from
being displayed
Disable the Internet Prevents the Internet Connection Wizard.
Connection Wizard
Disable any changes to Prevents any changes to Temporary Internet Files.
Temporary Internet Files
Disable the Reset web Prevents the Reset web Setting button.
Setting button
Prevent changes to Prevents changes to advanced settings.
advanced settings
Prevent changes to Prevents changes to Automatic Configuration.
Automatic Configuration
Prevent changes to Prevents changes to temporary file settings.
temporary file settings
Prevent changes to Prevents changes to calendar and contacts.
calendar and contacts
Prevent changes to Prevents changes to security certificates.
security certificates
Prevent changes to Prevents changes to default browser check.
default browser check
Prevent Color changes Prevents Color changes.
Prevent changes to Prevents changes to connection settings.
connection settings
Disable the Connection Disables the Connection Wizard.
Wizard
Disable font changes Disables font changes.
Disable changes to Disables changes to History settings.
History settings
Disable Language Disables Language changes.
changes
Disable Links changes Disables Links changes.
Disable Messaging Disables Messaging changes.
changes

9 of 29
Windows Security Officer

Disable changes to Disables changes to Profiles.

Profiles
Disable changes to Disables changes to Proxy settings.
Proxy settings
Disable Ratings changes Disables Ratings changes.
Disable changes to Disables changes to Wallet settings.
Wallet settings

User Restrictions \ Control Panel \ Printers

Hide the General and This option hides the printer details and general printer information pages.
Details Printer Pages Once enabled this option stops users from changing specific printer settings.
Disable the Addition of Any user can add a new printer their system, this option once enabled
Printers disables the addition of new printers to the computer.
Disable the Deletion of Printers can be deleted simply by anyuser pressing the delete key, enabling
Printers this setting stops users from being able to delete printers.

User Restrictions \ Control Panel \ Add-Remove Programs

Remove Add/Remove This option disables Add/Remove Programs.

Programs
Hide change or remove This option disables Change and Remove Programs Option
programs page
Hide Add New Programs This option disables Add Programs
page
Hide Add/Remove This option disables Windows Components Wizard
windows components
Hide the add a program This option hides 'Add a program from CD-ROM or disk' option.
from CD-ROM or floppy
option
Hide Add programs from This option hides 'Add programs from Microsoft' option.
Microsoft option
Hide Add programs This option hides 'Add programs from your network' option.
fromNetwork option
Go directly to Go directly to Windows Components Wizard.
Components Wizard
Remove support This option disables Disable Support Information.
information
Specify default category This option is used to hide 'Set Program Access and Defaults' on the Add
for Add New Programs or Remove Programs page. This feature was introduced with Windows
XP SP1 and Windows 2000 SP3 to allow users to configure the default
applications used on the PC.
Hide Set Program Access This restriction is used to hide 'Set Program Access and Defaults' on the
and Defaults in Add or Remove Programs page.

10 of 29
Windows Security Officer

Add/Remove Programs

User Restrictions \ Control Panel \ Control panel restrictions

Disable Control This setting allows you to restrict user access to the Control Panel options and
Panel settings.
Force the Control This setting specifies the visual style of the Control Panel. Allowing you to either
Panel Display Style force the use of the new XP style, classic style or allow the user to select the
preferred style.

User Restrictions \ Active Desktop

Force the Use of Active Desktop
Restrict Changes to Active
Desktop Settings
Disable Active Desktop
Remove Active Desktop Options
from the Settings Menu
Disable the ability to change
wallpapers
Disable components
Disable the ability to add
components
Disable the ability to delete
components
Disable the ability to edit
components
Prevents adding, dragging,
dropping and closing the
Taskbar's toolbars
Restrict adjustments to desktop
toolbars
Only allow bitmaps (BMP) as
wallpaper
The user is normally given the option of disabling Active Desktop
through the display properties. This tweak removes the ability to
disable Active Desktop.
This tweak allows you to have Active Desktop enabled, but to
restrict any changes to the settings.
This tweak will disable the use of the Active Desktop feature.
The tweak will remove the Active Desktop options from Settings
on the Start Menu.
The tweak will disable the ability to change wallpapers.
The tweak will disable components.
The tweak will disable the ability to add components.
The tweak will disable the ability to delete components.
The tweak will disable the ability to edit components.
The tweak will prevents adding, dragging, dropping and closing
the Taskbar's toolbars.
The tweak will restrict adjustments to desktop toolbars.
The tweak will only allow bitmaps (BMP) as wallpaper.

User Restrictions \ Desktop and Explorer

Restrict the Screen
Saver
Screen Saver Password
Protection Policy
This restriction can be used to specify the screen saver or to stop screen
savers from running. Also, the Screen Saver settings page is disabled, so
users cannot change the screen saver options.
This restriction determines whether the screen saver is password protected
and prevents users from changing the password-protection setting.

11 of 29
Windows Security Officer

Enforce Shell Extension This restriction can be used to limit the system to only run files that have an
Security approved shell extension.
Remove the Distributed This restriction removes the Distributed File System (DFS) tab from
File System Tab Windows explorer. This prevents users from viewing or changing the
properties of local DFS shares.
Remove the Security This restriction removes the Security tab from Windows explorer which
Tab prevents users from accessing or changing the security permissions of
folder and file objects.
Remove the Hardware This restriction removes the hardware tab from applicable items in the
Tab Control Panel and from the local drive properties. This prevents users from
changing the hardware device properties.
Remove Properties from This restriction remove the properties option from My Computer and hides
My Computer the 'System Properties' screen.
Remove the Ability to This setting allows you to remove the ability to change, add or delete file
Modify File Types types using explorer the Folder Options interface.
Remove the Option to By default users are able to select which toolbars are displayed either be
Change or Hide right clicking the toolbar itself, or by changing the options from the View
Toolbars menu. This tweak locks the toolbars, removing the ability to change which
are displayed.
Disable the Ability to By right clicking on a toolbar you are usually given the option to Customize,
Customize Toolbars which allows you to change which functions are available from the toolbar.
This tweak allows you to disable that function.
Disable Folder Options This tweak allows you to hide the Folder Options function from the folder
Menu Tools menu. Allowing you to restrict access to numerous advanced folder
features.
Disable the Ability to This tweak removes the context menu that would normally appear when the
Right Click on the user right clicks on the desktop or in the Explorer right results pane.
Desktop
Remove File Menu from This setting is used to Remove the File option from the Explorers toolbar.
Explorer
Hide the Network The Network Neighborhood icon is shown on the Windows desktop
Neighborhood Icon whenever Windows networking is installed, by enabling this setting the icon
will be hidden.
Hide All Items on the Enabling this options hides all the items and programs on the Windows
Desktop desktop.
Disable the Change This setting disables the 'Change Password' button on the Windows
Password Button Security dialog box. Enabling this setting stops casual users from being able
to change the password.
Disable the Windows This restriction allows you to disable the use of the Windows hotkey
Hotkeys combinations that provide shortcuts to the Start Menu and task swapping.
Restore Folder Windows This option controls whether Windows will attempt to re-open any folders
at Startup that were already open when the system was last shutdown.
Remove Shared The Shared Documents folder allows users to easily share files and folders
Documents from My over a network. This restriction will remove the 'Shared Documents' object
Computer from My Computer.

Automatically Expand When using Windows Explorer the selected folder is automatically
Folders in Explorer expanded in the left-hand folder list. This setting allows you to control that
functionality.

12 of 29
Windows Security Officer

Show Hidden Operating This setting controls whether the normally hidden operating system files
System Files should be displayed when using explorer to browse the file system.
Launch Folder Windows This setting controls whether each folder window is launched as a separate
in a Separate Process explorer task. The benefit of this method is that if one window has an error
and crashes the others should be not be affected. The disadvantage is that
it takes more system resources for each folder.
Remove My Computer This restriction removes My Computer from the desktop and Start menu.
from the Desktop and
Start Menu
Disable Desktop By default Windows will run the Desktop Cleanup Wizard every 60 days to
Cleanup Wizard remove unused desktop items and shortcuts. This setting will disable it from
running automatically.
* Show Pop-up This setting controls whether pop-up tool tip information and descriptions
Descriptions for are shown when the mouse is hovered over desktop and explorer items.
Explorer and Desktop
Items
Force Windows to Use This tweak disables the various enhanced features of the Windows shell
the Classic Desktop which are included in newer releases of Windows and Internet Explorer. It
will remove features including Active Desktop, Web view, thumbnail views
and the quick launch toolbar.
Remove My Network This restriction removes My Network Places icon from Explorer
Places

User Restrictions \ Network

Hide the Active Directory This restriction is used to remove the Active Directory folder from My
Folder in My Network Network Places. This still allows users to search but not browse the Active
Places Directory.

Restrict add and remove This restriction is used to restrict add and remove network components.
network components
Restrict changes to This restriction is used to restrict changes to Advanced Settings.
Advanced Settings
Restrict changes to This restriction is used to restrict changes to advanced TCPIP
advanced TCPIP configuration.
configuration
Restrict changes to This restriction is used to restrict changes to protocol and service bindings.
protocol and service
bindings
Restrict deletion of public This restriction is used to restrict deletion of public RAS connections.
RAS connections
Restrict deletion of RAS This restriction is used to restrict deletion of RAS connections.
connections
Restrict changes to the This restriction is used to restrict changes to the Dial-up Preferences.
Dial-up Preferences
Restrict access to This restriction is used to restrict access to component properties of a
component properties of LAN connection.
a LAN connection

13 of 29
Windows Security Officer

Restrict connecting and This restriction is used to restrict connecting and disconnecting a LAN
disconnecting a LAN connection.
connection
Restrict access to This restriction is used to restrict access to properties of a LAN
properties of a LAN connection.
connection
Disable the Network This restriction is used to disable the Network Connection wizard.
Connection wizard
Disable the Network This restriction is used to restrict access to properties of public RAS
Connection wizard connections.
Restrict access to This restriction is used to restrict access to properties of a RAS
properties of a RAS connection.
connection
Restrict connecting and This restriction is used to restrict connecting and disconnecting a RAS
disconnecting a RAS connection.
connection
Restrict access to private This restriction is used to restrict access to private RAS connection
RAS connection properties.
properties
Restrict renaming of This restriction is used to restrict renaming of public RAS connections.
public RAS connections
Restrict renaming of This restriction is used to restrict renaming of connections.
connections
Restrict renaming of LAN This restriction is used to restrict renaming of LAN connections.
connections
Restrict renaming of This restriction is used to restrict renaming of private RAS connections.
private RAS connections
Disable status statistics This restriction is used to disable status statistics for an active connection.
for an active connection
Disable Recent Shares in This restriction stops remote shared folders from being added to Network
Network Places Places whenever you open a document in the shared folder.
Hide Computers Near Me This setting allows you to show or hide the computers listed Near Me in
in Network Places My Network Places.
Hide Workgroup Content Enabling this option hides all Workgroup contents from being displayed in
from Network Network Neighborhood.
Neighborhood
Hide Entire Network in Entire Network is an option under Network Neighborhood that allows users
Network Neighborhood to see all the Workgroups and Domains on the network. Entire Network
can be disabled, so users are confined to their own Workgroup or Domain.
Remove the Map and Prevents users from making additional network connections by removing
Disconnect Network the Map Network Drive and Disconnect Network Drive buttons from the
Drive Options toolbar in Explorer and also removing them from the Context menu of My
Computer and the Tools menu of Explorer.
Remove Log Off from the This tweak allows you to remove the Log Off (Username) option from the
Start Menu Start menu.

14 of 29
Windows Security Officer

Disable Automatic Windows can be configured to automatically download missing COM

Download of COM classes and objects over the network. This setting allows you to disable or
Components enable this feature.

User Restrictions \ Start Menu and Taskbar

Force Logoff on the Start This setting forces the Logoff button to appear on the Start menu and
Menu prevents users from removing or hiding it.
Remove My Network This restriction hides the My Network Places button on the Windows XP
Places from the Start simple Start menu.
Menu
Remove the Toolbars on This restriction is used to remove all the toolbars, including Quick Launch,
the Taskbar from the taskbar. It also restricts the ability to re-enable them.
Remove Tray Items from This setting removes and restricts access to the tray icons normally found
Taskbar next to the clock on the taskbar.
Lock the Taskbar This restriction is used to force the locking of the taskbar and restrict
users from making any changes to its position.
Force the Use of the This restriction forces users to use the classic Windows start menu,
Classic Start Menu instead of the new format introduced with Windows XP.
Restrict the Start Menu This restriction removes the ability for a user to enable the 'Log Off...'
Log Off Option option on the Start Menu.
Hide the Taskbar Clock This setting allows you to remove the clock from the system tray on the
taskbar.
Remove the Windows This setting is used to hide the Windows NT Security menu item on the
Security on Start Menu Start Menu of a terminal server session. These settings are compatible
with Windows Server 2003.
Remove the Help Option This restriction removes the Help option from the Start Menu.
from the Start Menu
Hide Administrative Tools As with Windows NT, Windows 2000 has an 'Administrative Tools' folder
Menu on the Start Menu. This folder contains powerful administration utilities
and therefore can be hidden to avoid accidental use.
Disable Drag-and-Drop on This restriction prevents users from modifying the Start menu by dragging
the Start Menu and dropping items.
Remove Common Disables the display of common groups when the user selects Programs
Program Groups from from the Start menu.
Start Menu
Hide the Taskbar Settings This restriction removes the Taskbar and Start Menu item from the
on the Start Menu Control Panel, and it also removes the Properties item from the Start
menu context menu.
Hide Control Panel, This restriction removes the Control Panel, Printers and Network
Printer and Network Connection settings from the Start menu. If the Taskbar settings are also
Settings hidden it causes the Settings menu to be completely removed.

Remove Run from the Removes the ability to launch commands or processes from the Start
Start Menu menu by removing the Run option.
Remove Search from the This restriction removes the Search feature from the Start Menu.
Start Menu

15 of 29
Windows Security Officer

Disable the Shut Down This option allows you to stop users from being able to shutdown the
Command computer by disabling the shut down command.
Disable Taskbar Context This setting removes the context menus (right click on the taskbar) for the
Menus system tray, including the Start button, Tab control, and Clock.
Remove the Start Banner Hide the bouncing arrow and the 'Click Here to Begin' caption that appear
on the Taskbar on the taskbar when you start Windows.
Automatically Hide This setting controls whether running tray programs should be hidden
Inactive Tray Icons automatically when they are not active.
Highlight New Programs When you install a new Windows program the icon will be highlighted on
on Start Menu the Start Menu to allow you to quickly locate it. This tweak controls
whether new programs should be highlighted.
Remove the Control Panel Remove the Control Panel Folder from enhanced Start Menu.
Folder from Start Menu
Remove the My Computer Remove the My Computer Folder from enhanced Start Menu.
Folder from Start Menu
Remove the My Remove the My Documents Folder from enhanced Start Menu.
Documents Folder from
Start Menu
Remove the My Music Remove the My Music Folder from enhanced Start Menu.
Folder from Start Menu
Remove the My Pictures Remove the My Pictures Folder from enhanced Start Menu.
Folder from Start Menu
Remove the Network Remove the Network Connections from enhanced Start Menu.
Connections Folder from
Start Menu
Remove Set Program This setting is used to remove the 'Set Program Access and Defaults'
Access and Defaults from icon from the Start Menu. This feature was introduced with Windows XP
Start Menu SP1 and Windows 2000 SP3 to allow users to configure the default
applications used on the PC.
Remove Frequent This restriction removes the list of frequently used programs from the
Programs List from the Start menu.
Start Menu
Remove Pinned Programs This restriction removes the pinned programs list from the Start menu. It
List from the Start Menu also removes the Internet and E-mail checkboxes from the Start menu.
Remove Username from This restriction hides the current username normally displayed at the top
the Start Menu of the Windows XP Start Menu.
Remove 'All Programs' This restriction is used to remove the 'All Programs' button which displays
Button from the Start a list of all the installed applications.
Menu
Remove Undock This policy is used to hide or display the 'Undock Computer' option on the
Computer from Start Start Menu.
Menu
Show Favorites on the This setting controls whether the Favorites folder is shown on the Start
Start Menu Menu.
Remove the Printers and Remove the Printers and Faxes icon from Start Menu.
Faxes icon from Start
Menu

16 of 29
Windows Security Officer

User Restrictions \ System

Restrict use of Enable this setting, to restrict access to all snap-ins, except those that you
Management Console explicitly permit via the Group Policy Restricted/Permitted snap-ins setting
(MMC) Snap-ins folder.

Restrict Author Mode in This restriction stops users from opening the Microsoft Management
Management Console Console and relevant .mmc console files in author mode.
(MMC)
Require Windows Script This setting is used to define whether trusted and untrusted scripts should
Signature Security be executed when using signature verification. By requiring a signature the
system will only execute scripts from verified authors.
Disable CD Burning This restriction is used to disable the use of the inbuilt CD recording
functions of Windows.
Request Alternate These settings control whether users are prompted to enter alternate logon
Installation Credentials credentials when installing software as a non administrative user.
Restrict Access to the The Windows Update feature allows users to easily update Windows
Windows Update components and software over the Internet. These settings allow can be
Feature used to grant or restrict access to this function.

Disable Registry Editing This restriction disables the ability to interactively run the standard Microsoft
Tools registry editing tools such as REGEDIT and REGEDT32.
Disable Task Manager This setting controls the ability for users to start Task Manager and view
processes, running applications and make changes to the priority or state of
the individual processes.
* Read Environment When this value is enabled the variables declared in the Autoexec.bat file will
Variables in be parsed and included in the current user environment.
Autoexec.bat File
Disable Save Settings When Windows exits it normally saves the desktop layout, including icon
at Exit location, appearance and other parameters. This setting disables any
changes from being saved therefore allowing you to preserve a configured
layout.
Hide the Run as... This setting allows you to restrict the ability for users to have access to the
option from the context Run as... service when right clicking on executables files and shortcuts. This
menu tweak also disables the Shift key override feature.

Disable the Recycle Bin This tweak allows you to restrict access to the 'Properties' option on the
Properties Option Recycle Bin right-click context menu.
Disable Update Device This tweak allows you to disable the ability to use Windows Update to
Driver Wizard locate updated drivers for hardware in Device Manager.
Hide Computer This setting allows you to remove the 'Manage' option from the My
Management Option Computer context menu. The Computer Management program is used to
configure the system.

User Restrictions \ User Folder Locations

Restrict changes to My Music Restrict changes to My Music

Restrict changes to My Pictures Restrict changes to My Pictures

17 of 29
Windows Security Officer

Restrict changes to My Documents Restrict changes to My Documents

Restrict changes to Favorites Restrict changes to Favorites

User Restrictions \ Documents and Folders

Remove My Music from the This restriction removes My Music from the Documents folder on the
Start Menu Start Menu.
Remove My Pictures from This restriction removes My Pictures from the Documents folder on the
the Start Menu Start Menu.
Remove My Documents This restriction removes My Documents which is shown under the
from the Start Menu Documents folder on the Start Menu.
Disable Recent Documents Normally when you open or access a document or file it is added to the
History list of recent documents on the Start Menu. This tweak will stop files
from being added to the list.
Remove Network This tweak allows you to hide the Network and Dial-up Connections
Connections from the Start option on the Start Menu.
Menu
Remove Favorites from the This tweak allows you to remove the Favorites folder from the Start
Start Menu Menu.
Remove Recent This setting can be used to remove the recent Documents folder from
Documents from the Start the Start Menu.
Menu

User Restrictions \ Software \ Internet Explorer \ Appearance

Show 'Shortcut to' By default when you hover the mouse over a link in Internet Explorer it will
Label on Internet display 'Shortcut to filename.htm' in the status bar. This tweak controls that
Explorer Links behaviour so that the full URL can be shown instead.

* Lock the Internet This setting allows you to lock the Internet Explorer toolbars in place so they
Explorer Toolbars can not be moved by clicking-and-dragging.
Show Expanded Add to This setting controls whether an expanded or smaller dialog box is shown
Favorites Dialog Box when a site is added to the Internet Explorer favorites.
Use Smooth Scrolling This setting controls whether the smooth scrolling function is used in Internet
in Internet Explorer Explorer to increase the readability while navigating a page.
Automatically Resize This setting controls whether Internet Explorer attempts to automatically
Images in Internet resize an image to fit within the window.
Explorer
Disable the Go Button This setting is used to remove the 'Go' button from the Internet Explorer
in Internet Explorer toolbar.
Display a Background This tweak allows you to choose a a bitmap image to display as the
Bitmap on Explorer background for the explorer toolbars.
Toolbars
Disable Expanding Usually when you click on the New menu in Internet Explorer it is expanded
Internet Explorer New to include options like New Window, Message, Post and Internet Call. Using
Menu this tweak will stop the menu expanding and therefore only display the 'New

18 of 29
Windows Security Officer

Window' option.
Use Personalized Internet Explorer has a feature that automatically hides site that are rarely
Favorites Menu visited from the Favorites menu. This setting allows you to enable or disable
the personalized menu feature.
Show Friendly HTTP By default Internet Explorer will show a friendly version of any HTTP errors it
Error Messages receives, for example Error 404 Page Moved. This tweak controls that
functionality allowing it to be enabled or disabled.
Change the Internet This setting allows you to customize Internet Explorer by using your own
Explorer Window Title window title. For example you could rename IE to 'My Browser' or anything
else you like!
Disable the entire help Disables the entire help menu.
menu
Remove the 'For Removes the 'For Netscape Users' menu item.
Netscape Users' menu
item
Remove the 'Send Removes the 'Send Feedback' menu item.
Feedback' menu item
Remove the 'Tip of the Removes the 'Tip of the Day' menu item.
Day' menu item
Remove the 'Tour' Removes the 'Tour' (Tutorial) menu item.
(Tutorial) menu item
Disable the ability to Disables the ability to change toolbar selection.
change toolbar
selection
Disable the address bar Disables the address bar.
Disable the tool bar Disables the tool bar.
Disable the links bar Disables the links bar.
Disable changes to Disables changes to browsers bars.
browsers bars
Disable the ability to Disables the ability to Save As.
Save As
Disable the Favorites Disables the Favorites.
Disable the File > New Disables the File > New command.
command
Disable the File > Open Disables the File > Open command.
command
Disable the Find Files Disables the Find Files command.
command
Disable the Forward Disables the Forward and Back navigation buttons.
and Back navigation
buttons
Disable Open in New Disables Open in New Window option.
Window option
Remove Print and Print Removes Print and Print Preview from the File menu.
Preview from the File

19 of 29
Windows Security Officer

menu
Remove Mail and News Removes Mail and News menu item.
menu item
Hide My Pictures When displaying an image in Internet Explorer a floating toolbar is shown
Toolbar in Internet that allows you to Save, Print, E-mail or Open the My Pictures folder. This
Explorer setting allows you to hide the toolbar.

Force Plain Text Internet Explorer may not use the 'Text/Plain' Content-Type header field to
Format in Internet properly open a text file on a Web site. This setting forces IE to treat those
Explorer files as text files.

Open Internet Explorer This setting controls whether Internet shortcuts are opened in an existing
Shortcuts in a New available Internet Explorer window or whether a new window should be
Window spawned.

User Restrictions \ Software \ Internet Explorer \ Network and

Connections

Disable Internet When you configure Internet Explorer to use automatic proxy configuration it
Explorer Automatic caches the returned information. If a proxy server fails you may therefore get an
Proxy Caching error message even though others are available. With this setting you can
disable caching to ensure the browser always checks for the latest proxy
information.
Connect to Unicode This setting allows you to control whether Internet Explorer should be able to
Addresses with connect to sites that use multibyte characters in the URL. This is useful when
Internet Explorer connecting to some foreign language sites.

Internet Explorer Internet Explorer has the ability to display FTP sites as if they were local folders.
FTP Mode This tweak controls which mode IE uses for FTP.

User Restrictions \ Software \ Internet Explorer \ Search Features

Use Classic Search in Internet This tweak allows you to disable the new Search Assistant and use
Explorer the traditional search interface in Internet Explorer.
Disable the Custom Search This setting allows you to disable the use of the custom search
Page in Internet Explorer page in Internet Explorer.

User Restrictions \ Software \ Internet Explorer \ Security

Restrict ActiveX This tweak allows you to restrict the ability to install programs via the ActiveX
program installations control using Internet Explorer.
in Internet Explorer
Disable Local Internet Explorer includes an option to load a local stylesheet to set browser
Stylesheets in Internet based preferences for web page styles. This feature can be exploited by
Explorer unauthorized programs to implement unrequested popups and malicious
tracking of user activity. This tweak allows you to disable local stylesheets.
Restrict Import and This restriction can be used to disable the import and export of Internet
Export of Internet Explorer cookies and favorites. When users utilize the 'Import and Export'
wizard on the File menu they will be shown a message when clicking 'Finish'.

20 of 29
Windows Security Officer

Explorer Settings
Disable Caching of This setting controls whether web pages encrypted using Secure Sockets
Secure Web Pages Layer (SSL) should be stored on the hard disk in the temporary Internet
cache.
Empty Temporary This setting controls whether Internet Explorer should delete all of the
Internet Files on Exit temporary Internet files stored during the session when the browser is closed.
Disable Save As Web This restriction disables the ability to save complete web pages including
Page Complete images, scripts, linked files and other elements in Internet Explorer.
Disable Access to File Normally you can use the Internet Explorer address bar to access standard
URLs in Internet files and folders. This setting disables that functionality and only allows access
Explorer to Internet URLs.

Disable File Download This setting allows you to restrict the ability to download files using Internet
in Internet Explorer Explorer.
Always prompt user Always prompt user when downloading files.
when downloading
files
Disable the option of Disables the option of closing Internet Explorer.
closing Internet
Explorer
Disable right-click Disables right-click context menu.
context menu
Disable the option of Disables the option of selecting a download directory.
selecting a download
directory
Disable the Full Disables the Full Screen view option.
Screen view option
Disable the ability to Disables the ability to view the page source HTML.
view the page source
HTML
Disable Internet This setting is used to disable download completion notification in Internet
Explorer Download Explorer.
Notification
Launch Browser This setting specifies whether a new process is created for each instance of
Windows in a Internet Explorer that you start. This can prevent one instance of Explorer
Separate Process from affecting other instances if it stops responding.

Specify the Default This setting is used to specify which directory should be used as the default
Internet Explorer location to save downloaded files retrieved using Internet Explorer.
Download Directory
Disable Check for Internet Explorer 5 and higher has the ability to automatically check for
Internet Explorer software updates. This tweak controls that feature.
Updates
Disable the Auto This setting controls whether the automatic text completion (AutoComplete)
Complete Mode feature of Windows Explorer appends the suggested text to the words as you
are typing as well as showing a drop-down list of available values.
* Disable the Internet When an Internet Explorer detects an error on a page it has the ability to
Explorer Script launch a script debugger to diagnose the problem. This setting controls the
Debugger use of the Internet Explorer script debugging functions.

21 of 29
Windows Security Officer

Hide the Internet This option hides the Internet Explorer icon from the Windows desktop.
Explorer Icon

User Restrictions \ Software \ Internet Explorer \ Internet Explorer

Toolbar Buttons

.Remove Selected Internet Explorer
Toolbar Buttons
Remove the 'Back' button
Remove the 'Copy' button
Remove the 'Cut' button
Remove the 'Discussions' button
Remove the 'Edit' button
Remove the 'Encoding' button
Remove the 'Favorites' button
Remove the 'Folders' button
Remove the 'Forward' button
Remove the 'Fullscreen' button
Remove the 'History' button
Remove the 'Home' button
Remove the 'MailNews' button
Remove the 'Media' button
Remove the 'Paste' button
Remove the 'Print' button
Remove the 'PrintPreview' button
Remove the 'Refresh' button
Remove the 'Search' button
Remove the 'Size' button
Remove the 'Stop' button
Remove the 'Tools' button
These settings allow you to hide and disable specific buttons
on the Internet Explorer toolbar.
Remove the 'Back' button on the Internet Explorer toolbar.
Remove the 'Copy' button on the Internet Explorer toolbar.
Remove the 'Cut' button on the Internet Explorer toolbar.
Remove the 'Discussions' button on the Internet Explorer
toolbar.
Remove the 'Edit' button on the Internet Explorer toolbar.
Remove the 'Encoding' button on the Internet Explorer toolbar.
Remove the 'Favorites' button on the Internet Explorer toolbar.
Remove the 'Folders' button on the Internet Explorer toolbar.
Remove the 'Forward' button on the Internet Explorer toolbar.
Remove the 'Fullscreen' button on the Internet Explorer
toolbar.
Remove the 'History' button on the Internet Explorer toolbar.
Remove the 'Home' button on the Internet Explorer toolbar.
Remove the 'MailNews' button on the Internet Explorer
toolbar.
Remove the 'Media' button on the Internet Explorer toolbar.
Remove the 'Paste' button on the Internet Explorer toolbar.
Remove the 'Print' button on the Internet Explorer toolbar.
Remove the 'PrintPreview' button on the Internet Explorer
toolbar.
Remove the 'Refresh' button on the Internet Explorer toolbar.
Remove the 'Search' button on the Internet Explorer toolbar.
Remove the 'Size' button on the Internet Explorer toolbar.
Remove the 'Stop' button on the Internet Explorer toolbar.
Remove the 'Tools' button on the Internet Explorer toolbar.

User Restrictions \ Software \ Netmeeting \ Netmeeting Policies

and Restrictions

Disable Call Security Call Security is a new feature in NetMeeting that provides security for data
exchanged during NetMeeting chat, whiteboard, shared program, and data

22 of 29
Windows Security Officer

exchange features.
Disable Intranet Web Disable Intranet Web Directory.
Directory
Disable Maximum Disable Maximum Bandwidth.
Bandwidth
Disable Adding Disable Adding Directory Servers.
Directory Servers
Disable Advanced Disable Advanced Audio.
Audio
Disable Advanced Disable Advanced Calling.
Calling
Not Allow Control Not Allow Control.
Disable Application Disable Application Sharing.
Sharing
Disable Audio Disable Audio.
Disable Audio Control Disable Audio Control.
Disable Auto Disable Auto Accepting Calls.
Accepting Calls
Disable Changing Disable Changing Direct Sound.
Direct Sound
Disable Changing Call Disable Changing Call Mode.
Mode
Disable Chat Disable Chat.
Disable Directory Disable Directory Services.
Services
Disable Full Duplex Disable Full Duplex.
Disable General Disable General Control.
Control
Disable New White Disable New White Board.
Board
Disable Old White Disable Old White Board.
Board
Disable Receiving Disable Receiving Files.
Files
Disable Receiving Disable Receiving Video.
Video
Disable Sending Files Disable Sending Files.
Disable Sending Disable Sending Video.
Video
Disable Sharing Disable Sharing.
Disable Sharing Disable Sharing Desktop.
Desktop

23 of 29
Windows Security Officer

Disable Sharing Dos Disable Sharing Dos Windows.

Windows
Disable Sharing Disable Sharing Explorer.
Explorer
Disable Sharing True Disable Sharing True Color Video.
Color Video
Disable Video Control Disable Video Control.
Disable Web Disable Web Directory.
Directory
Disable Showing First Disable Showing First Time URL.
Time URL
Force Using Auto Force Using Auto Configuration.
Configuration

User Restrictions \ Software \ Netmeeting \ User Parameters for

Netmeeting

Account name Account name, used to log onto gatekeeper

General comments field General comments field
Email Address Email Address
First Name First Name
Last Name Last Name
Location Location
Phone number Phone number, used to log onto gatekeeper.
User Name Displayed when connecting to other H.323 devices.

User Restrictions \ Software \ Media Player

Hide the Network tab in
Media Player
Disable Recent Files in
Media Player
Disable Processing of
HTML Scripts in Media
Files
This restriction hides the Network tab within the Tools > Options menu of
Media Player 8.0 and above.
This restriction will stop Windows Media Player from storing the names of
the played media in the recent file list.
This setting is an optional security configuration feature that you can use
to turn off the processing of HTML scripts that are contained in Windows
Media files.

Hide Anchor Window in This setting hides the anchor window which is normally shown when using
Media Player Windows Media Player in compact or skin mode. It also restricts users
from re-enabling the window.
Disable Codec Downloads This restriction prevents audio and video codecs from being downloaded
in Media Player in Windows Media Player. When enabled it also restricts the ability to
re-enable downloads.

24 of 29
Windows Security Officer

Remove the Radio Bar This tweak allows you to remove the Radio Bar from Windows Media
from Media Player Player.
Remove Media Favorites This tweak allows you to remove Media Favorites from Windows Media
from Media Player Player.
Remove Finding New This tweak allows you to remove Finding New Station from Windows
Station from Media Player Media Player.
Change the Title of This tweak allows you to customize the title bar text shown on Windows
Windows Media Player Media Player.
Disable DVD Features in This setting allows you to use Microsoft Media Player to Play and Open
Media Player DVDs.

User Restrictions \ Software \ Outlook Express

Change the Windows
Address Book Location
Change the Start Page for
Outlook Express
Use Smooth Scrolling in
Outlook Express
Disable the Outlook Express
Splash Screen
Disable Colorful Message
Backgrounds in Outlook
Express
Change the Outlook Express
Window Title
Change the Location of the
Outlook Express Mail and
News Files
This setting is used to specify the location of the Windows Address
Book (WAB). The Windows Address Book is used by Outlook
Express and Internet Mail and News to store contact details.
This setting can be used to change the page that Outlook Express
loads in the right-hand window when it first starts-up.
This setting controls whether smooth scrolling is used when viewing
messages in Microsoft Outlook Express.
Sick of seeing the Outlook Express splash screen every time you
open the program? This settings will allow you to remove it.
When enabled this setting allows the use of colorful message
backgrounds in Outlook Express 4.0 or below.
This setting allows you to customize Outlook Express by using your
own window title. For example you could rename Outlook Express to
'My Mail Reader' or anything else you like!
This setting allows you to change the location of the mail and news
files stored by Outlook Express to another directory or partition.

User Restrictions \ Software \ Windows Messenger

Disable Windows This setting can be used to disable the integration of Windows (MSN)
Messenger in Outlook Messenger so that is does not start when using Microsoft Outlook.
Disable MSN Instant This restriction is used to disable the ability to run the Microsoft MSN
Messenger Instant Messenger client.
Disable Collaboration Disable Collaboration Applications.
Applications
Disable FileTransfer Disable FileTransfer.
Disable PC-to-PC Voice Disable PC-to-PC Voice Feature.
Feature

25 of 29
Windows Security Officer

Disable PC-to-PC Phone Disable PC-to-PC Phone Feature.

Feature
Disable Video Disable Video.
Prevent Auto Update Prevent Auto Update.
Prevent Background Prevent Background Download.
Download
Prevent Consumer Prevent Consumer Version.
Version

User Restrictions \ Software \ Task Scheduler

Disable Manual Task This restriction disables the ability for users to manually start and stop
Control scheduled tasks. Tasks will continue to run automatically as configured
Disable Drag and Drop This restriction disables the ability to drag and drop programs into the
Task Scheduling Scheduled Tasks folder. This also disables the functionality of the Cut,
Copy and Paste shortcut items.
Disable Changes to Task This setting restricts changes to the run command and disables the
Run Command Browse button in the Task Scheduler properties.
Remove Advanced Option This setting removes the 'Open advanced properties for this task when I
from Task Scheduler click Finish' checkbox from the task creation wizard. This should be
Wizard enabled to simplify the process for novice users.

Disable Changes to Task This setting restricts users from changing the properties of an existing
Properties item in Task Scheduler.
Restrict Task Creation These settings allow you to restrict the creation and deletion of items in
and Deletion Task Scheduler.

User Restrictions \ Software \ Office Applications Restrictions

Hide the Desktop Folder in Places Bar is placed at the left side of Microsoft Office Open/Save
the Places Bar dialog to allow the user fast access to History, Desktop, My Documents
etc. This setting enables you to hide the system folder Desktop.
Hide the Favorites Folder in Places Bar is placed at the left side of Microsoft Office Open/Save
the Places Bar dialog to allow the user fast access to History, Desktop, My Documents
etc. This setting enables you to hide the system folder Favorites.
Hide the My Documents Places Bar is placed at the left side of Microsoft Office Open/Save
Folder in the Places Bar dialog to allow the user fast access to History, Desktop, My Documents
etc. This setting enables you to hide the system folder My Documents.
Hide the Publishing/Network Places Bar is placed at the left side of Microsoft Office Open/Save
Folder in the Places Bar dialog to allow the user fast access to History, Desktop, My Documents
etc. This setting enables you to hide the system folder
Publishing/Network.
Hide theRecent Folder in Places Bar is placed at the left side of Microsoft Office Open/Save
the Places Bar dialog to allow the user fast access to History, Desktop, My Documents
etc. This setting enables you to hide the system folder Recent.

26 of 29
Windows Security Officer

User Restrictions \ Drives restrictions

Hide Drives in My This setting allows you to control which drives are visible in My Computer and
Computer Explorer. It is possible to hide all drives or just selected ones.
Prevent Access to the This restriction prevents users from using My Computer or Explorer to access
Contents of Selected the content of selected drives. Also, they cannot use Run, Map Network
Drives Drive, or the Dir command to view the directories on these drives.

User Restrictions \ Windows Installer

Restrict Installations from This tweak stops users from attempting to install a program (with an .msi
Removable Media extension) from removable media, such as CD-ROMs, floppy disks, and
DVDs.
Disable Windows Installer This restriction stops Windows Installer from recording the original state of
Rollback the system and sequence of changes it makes during installations. This
restriction is designed to reduce the amount of temporary disk space
required to install programs.
Highlight Missing This tweak will change the Start Menu shortcuts to a gray color when their
Windows Installer Windows Installer programs are unavailable.
Programs on the Start
Menu

User Restrictions \ File System

Enable Full This tweak determines whether the system performs a full or quick
Synchronization Method synchronization of offline files when the user logs off, and prevents users,
of the Offline Files including administrators, from changing the setting.

Do Not Move Deleted When a file or folder is deleted in Windows Explorer, a copy of the file or
Files to the Recycle Bin folder is placed in the Recycle Bin. Using this setting, you can change this
behavior.
Change Copy and Move When you copy or move a file or folder to another volume, the object inherits
NTFS Permissions the permissions of its new folder. This setting allows you to force Windows
to preserve the current permissions instead.
Automatically Start This settings controls whether CD-R(W) and DVD-R(W) disks are
CD-R and DVD-R Disks automatically started when loaded into the computer.
Show File and Folder Some versions of Windows will attempt to adjust the capitalization of files
Names Using the and folders that are in all uppercase to make them more visually pleasing.
Correct Case For example, if you create a folder named 'C:\ALLINCAPS' Windows will
actually display it as 'C:\Allincaps'. This feature can be disabled using this
tweak.
Disable Using The Windows file system includes a feature to connect web documents and
Connected Web Files their associated files. If an HTML document is moved or copied all its
and Folders associated files, including images, JavaScript and style sheets, can also be
automatically relocated.
Comprehensive Search When the system cannot find the target file of a shortcut it searches all the
for Broken Shortcuts associated paths. If still not found it performs a comprehensive search of
the drive to locate the file. This setting can be used to disable the final

27 of 29
Windows Security Officer

search.
Disable Tracking of The NTFS File System in Windows automatically attempts to locate broken
Broken Shortcut Links shortcut destinations by searching all paths that are associated with it. This
setting can be used to disable that feature.
Disable Automatic When you create a shortcut to a resource on a mapped network drive, and
Network Shortcut then remap the same drive to a different network resource, Windows
Resolution attempts to connect to the original network resource when you access the
shortcut.
Disable Low Disk Space This setting controls whether you receive a 'Low Disk Space' warning when
Notification free disk space reaches less than 200 megabytes.

User Restrictions \ Restrict Applications Users Can Run

Use Restricted Specify applications that users are RESTRICTED from running. Note: If you are the
applications list person who applies Group Policy, do not apply this restriction to yourself. If applied
too broadly, this policy can prevent administrators from running Group Policy or the
registry editors. As a result, once applied, you cannot change this policy except by
reinstalling Windows.
Use Allowed Specify applications that users are ALLOWED to running only. Note: If you are the
applications list person who applies Group Policy, do not apply this restriction to yourself. If applied
too broadly, this policy can prevent administrators from running Group Policy or the
registry editors. As a result, once applied, you cannot change this policy except by
reinstalling Windows.

The number of tweaks: 468

User Time Control

Weekly Time Restrictions

Week Day Max Allowed Time Allowed Time Intervals

Monday 24:00 All day allowed
Tuesday 24:00 All day allowed
Wednesday 24:00 All day allowed
Thursday 24:00 All day allowed
Friday 24:00 All day allowed
Saturday 24:00 All day allowed
Sunday 24:00 All day allowed

Control Dates Period

The user may use PC all time

Extra usage time

28 of 29
Windows Security Officer

Date Since To Duration

Miscellaneous Security Restrictions

* Forbid users to change the system time

Disable the "Task Manager"
Forbid users to change the system time
Disable the "Add/Remove Programs" applet in the Control Panel
Disable the ability to manage users accounts (add/delete users, change users passwords, etc.)

Visit the web page for updates: http://www.mybestsoft.com

Copyright © 1998-2008 by 1st Security Software Center

29 of 29