default, Windows 95/98/ME is not a secure environment. Users can log on
passwords, can mess with all sorts of system settings, and can have
to all the programs and data within reach.
includes a powerful tool to help limit user access—the System
Editor, Poledit for short. Poledit is
not installed as
of any Win95/98 setups, but is included on the Windows 95 and 98 CDs.
the Win95 CD, look in the D:\Admin\Apptools\Poledit
D: is the drive letter for your CD drive). On the Win98 CD, look in the
also posted both
versions on my website-- click to download: Poledit95
Poledit95 on Win98 systems). Double-click the exe files to uncompress
to the location of your choice- a folder or a floppy disk-- either will
fit handily on a floppy diskette. Windows NT, 2000, and XP is a whole other
getting started with Poledit or any other security tool, think
about what you want to accomplish. Security always involves
users from being able to do things also makes it more difficult for you
to do things. And it’s easy to lock up systems so tight that
accomplish tasks that they perhaps should be able to do.
It may be
to consider how likely it is that users will actually cause damage if
aren’t locked down, and compare that to the inconvenience
caused to you
and other legitimate users if these settings are locked
down—a sort of
cost-benefit analysis. There’s no single or simple answer to
provides the optimum tradeoff between convenience and
will be different answers for different settings.
made with Poledit are global—they effect everyone using the
that log-in—if you’ve set policy options while
logged into a Student
the machine restricts your actions just as much as it does a
Personally, I don’t set up multiple user profiles—I do restrict
a number of settings, which I’ll indicate down
below—and since I just
a single profile, everyone—students, teachers, and I, is
So I don’t turn off options that I need to access
that if I need to access one of the restricted settings (for example,
reset wallpaper), then I need to re-run Poledit first to allow me
afterwards, I need to remember to turn the restriction back
that the Win95 and 98 versions of Poledit are not
potentially includes many more templates which load functions, most of
which, however, are specific to Internet Explorer or other Microsoft
tools. As a result, the Win95 version is easier to
use—we’ll look at it
first. As well, as far as I can determine, the Win95 version works just
fine with Win98 systems as well—so you may just choose to use
can’t install Poledit into Windows using either the Windows
Control Panel’s Add-Remove Programs/Windows Setup option.
Microsoft, wisely in my opinion, doesn’t want typical users
to be able
to mess with it. You couldcopy the contents of the
to the hard drives of your various computers—but
don’t. If you copy it
to a shared network drive, don’t make its location obvious.
a copy on a floppy diskette, and run it from there—leaving no
your users to access.
that use of Poledit can cause problems—read this document
pay attention to what you’re doing. Experimentation can end
settings that can be very difficult to fix!
Some people manage to effectively lock themselves out of their own
computers-- and are forced to format the hard drive and reinstall from
scratch. Consider yourself warned!
by double-clicking the file Poledit.exe . The first
the Win95 version on each computer, it will start off by prompting you
to open a *.ADM file—and will show the ones included in its
only choice: Admin.adm.
from the File menu, choose Open Registry.
on the Local User icon (There are a bunch of options for Local
they mostly affect network logon to Netware or NT servers—and
are items that I think you will need to reset, so I’m going
ignore them in this discussion).
you open the Local User icon, you’ll get a window with a list
that can be controlled, with a [+] beside each area. Clicking on the
opens that area, showing further options.
each set, you will find a number of options that you can check
you’re done, click OK. As soon as you
save your changes, using
menu option, the changes go into effect.
Note: If you are using multiple user logons, such as
changes made to Local Useronly affect that single
you make these changes while logged into the Teacher account, for
you will need to do so again in order to affect the Student account.
look at the various user settings that can be controlled in this
you click on
beside Control Panel, a list of five items opens
up, with a [+]
beside each… If you click on the first [+], beside Display,
still get no visible options—until you click to add a
] Restrict Display Control Panel . Then you see the
to add a checkmark beside one or more options in the bottom section
Display Control Panel—turns
off the entire item, both in the main Control Panel window, and if
try to access it by right-clicking on the Desktop, and choosing Propertiesfrom
the popup menu. If users try to access this item, they will
users to access this Control Panel, but hides this page, making users
to set desktop
Note that web browsers include a Save as Wallpaper
by right-clicking on a Web graphic—with this option, users
for example, a Pokemon picture as wallpaper—and it will be
change back, without re-running Poledit. Despite this, I recommend that
you set this option, after setting your choice of wallpaper.
the Desktop Control Panel can be accessed, but the Screen Saver page
be hidden. I recommend setting screen saver options as desired, then
the screen saver page.
option disables users’ ability to change the colours used on
and other Windows elements. Again, I recommend setting them to your
then hiding the Appearance page.
- Hide Settings
disables users’ ability to change screen resolution and
on-screen. I tend to leave this unchecked—some programs only
run in 256
colours, while if you’re working with photographs, you
probably want to
be able to view more colours than this. Similarly, I have one nice
astronomy program that works best in 800x600 resolution, while most of
the time, I prefer to leave systems in 640x480 resolution so I need to
leave these options available—but if these are not issues for
this as well. In fact, if you’re turning all of these pages
off, do all
at once by Disabling the Display Control Panel.
these options only become visible when you open up the item, and click
to add a checkmark to [x] Restrict Network Control Panel.
do so, you get three options—the first, to remove access to
Control Panel item, and the other two, to limit access to its Identification,
and Access Control pages. I recommend setting these
then clicking on the top item, to remove access to that entire
are no reasons for users to have access to it.
this item allows you to completely restrict access to the Passwords
panel, or to allow access to it, while removing access to its Change
Passwords, Remote Administration, and User Profiles
again, I recommend setting these items as you require, then clicking on
the first option, to eliminate access to the entire item,
item does not let you remove access to the entire Printers control
item… the first option turns off access to the General
pages—which would keep you from printing test pages, or
to a different port (for example, over your network). I find this
useful enough to me that I do not restrict
access—it’s important to me
to help troubleshoot printing problems.
following two items restrict the ability to add and remove printers. I
restrict users’ ability to delete printers, but leave the
alone—making it easy for me to add a new printer if needed.
click to restrict all items on this list, although some might argue
access to the Device Manager page is vital in
problems. Otherwise, there are no reasons for users to have access to
of these techie-oriented items.
There is no Poledit setting to completely remove access to the Control
Panel. Even with the maximum protection here, users still have access
a variety of other settings. None of the remaining settings should be
to completely disable a computer!
item shows you the set wallpaper and color scheme (if any). It can be
to reset the wallpaper after a student has used a web browser to change
the wallpaper—by using the Browse button to locate your
but the change is only applied after restarting.
items are different from the Control Panel—Network
you to remove access to the File and Printer sharing controls.
are contained in the Network control panel, so I don’t know
listed separately!) Again, set these items as needed (remember,
only turn on file or print sharing on computers that are actually
access to resources to other computers across the network—do
on for computers that are merely using shared resources from other
and then click these two items so users cannot fuss with these controls.
don’t use any of these restrictions—which allow you
to change the
locations for installed programs (from C:\Program Files), and other
settings. You may want to set these to other locations, perhaps on a
network drive, for example—but I don’t!
items give you the power to turn off a number of standard interface
and are worth examining in more detail:
this item from the Start Menu—I leave it, as I find it useful
for me to
use for quick, command-line-like access to programs and
prefer to remove it.
folders from ‘Settings’
on Start Menu— removes the ability to set how My
display folders. Check it!
Taskbar from ‘Settings’…
--removes the ability to edit Taskbar and Start Menu items. I
recommend not checking
it—Most computers have very messy
Start Menus, and it’s important to learn how to tidy this up,
it clean on an ongoing basis.
- Hide Drives
in ‘My Computer’—hides
all the local and shared network drives. This makes it impossible for
to double-click on saved documents, although they can still find them
the File/Opencommand in applications. I recommend
though you may want to use the free TweakUI Control
add-in to limit access to the hard drive.
- Hide Network
you don’t have a network, you may want to choose this, to
of clutter on the Desktop.
- No ‘Entire
Network’ in Network
Neighborhood—if you have a classroom or lab network,
and also have
workgroups in the school such as Office,
should apply this item… with it checked, there is no way
that users can
easily move from their defined workgroup to access shared
in a different workgroup—keep the kids out of the office
files. If you
have a classroom network, apply this restriction right
kid erases all the student records in the office!
- No workgroup
contents in Network
Neighborhood— this would limit users to mapped
network drives and
network printers. I like having access to shared resources that
already mapped, but if you have such resources and have problems with
kids, you may want to restrict access in this way.
- Hide all
items on Desktop—I
suppose some people would like to hide My Computer, Network
the Recycle Bin, and any other icons on the desktop, leaving just the
Menu and Taskbar…
- Disable Shut
can’t imagine using this… Windows systems need
to be shut down
restarted from time to time (I’d recommend at least weekly)
- Don’t Save
Settings at Exit—I
like this one… get the Desktop the way you want it, then
That way, if users move icons around, when the system restarts,
back the way you wanted them. I don’t think this will help if
or delete icons on the desktop, however.
collection of low-level restrictions.
Registry editing tools—disallows
use of tools such as Regedit to make basic changes
some people have had trouble after using this—being then
unable to run Poledit again to
make changes to settings… in effect,
locking themselves out
of their own system. While Regedit is powerful and potentially
I’d be very careful before turning on this
restriction… in fact,
the dangers of not restricting it, I can’t recommend that you
- Only run
allowed Windows applications—if
you really want to control what users have access to, this is for you!
You add (one at a time) the applications that allowable, and all others
won’t run… it’s not clear, however, how
you add an application—none are
listed, by default, and there’s no browse button. Besides, if
doesn’t show up in the Start Menu, and you’ve
turned off access to the
Run command, and perhaps to some of the drives (using TweakUI), is
anyone really going to access
MS-DOS prompt—do you
have kids that get around your restrictions by going to a DOS prompt to
explore the system or delete files? If so, you can restrict access to
DOS prompt. If not, don’t bother!
single-mode MS-DOS applications—some
older DOS programs, particularly some older games, will only run if
restart the system in so-called MS-DOS mode. This item keeps that from
Setting up a
bunch of machines
the process is to set all the items you want to restrict, click OK, and
save changes. Obviously, repeating the process for a bunch of computers
can be incredibly tedious.
set up a single computer the way you want, save the
them to the Registry. Then use the File Menu, and choose Open
looking for a *.POL Policy file. (In Win95, you’ll find a
on the CD in a different
Once again, make the changes you want, then choose Save As (you
to the CD drive!), saving to the floppy disk where you have your copy
Poledit, for example.
you can go to each computer, open Poledit, and using the File/Open File
menu item, open your saved policy file. This will apply it to the new
Saving your butt!
preparing this handout, I managed to do what I’d warned
the file Maximum.pol instead of Standard.pol
to save settings where Disable Registry Editing Tools
along with a number of other settings I didn’t
want… but I couldn’t
Poledit to turn those settings off! Here’s what I did (thanks
useful, though geeky, book: ‘The Windows 98
Registry: A Survival
for Users” by John Woram).
and save a text file as: C:\Recover.reg, that consists of the following
to a DOS prompt (press F8 as soon as you see the ‘Starting
message, and choose Command Prompt from the boot menu), and at the C:
will load the contents of this file into the System Registry, turning
the two lines that restrict access to the Registry editing tools. From
there, restart Windows, run Poledit, and remove any other unwanted
a real life-saver—thank you John Woram!
Something from the
the beginning of this article, I suggested that the contents of the
icon was mostly aimed at network users... and that most of us didn't
to ever go there. Well, I finally found something I needed there! It
however, network-oriented-- so if you have a stand-alone computer, you
don't need to read any further in this section.
you have a network, even a peer-to-peer home, school, or small office
when you try to access a shared, but password-protected network
(typically a drive, folder, file, or printer), you're faced with a
screen... all that's fine except that the default is to save the
If you don't manually turn off that option, you won't be asked for the
password again when you access that resource. While this may seem
it completely defeats the purpose of password-protecting the resource,
as anyone sitting down at your computer now has free rein of the shared
resource, whether they know the password or not!
change this, run Poledit 95 (opening Admin.adm), click on the
menu (as described above)-- but instead of opening the User
double-click on the Local Computer icon. Open the Network
section, then Passwords, and check the option to Disable
Caching. After saving your changes, when you access
network resources, the log-in dialogue box will no longer have an
to remember the password. (Thanks to Vancouver teacher Luigi
for this tip!)
version of Poledit is somewhat more awkward to access—when
it displays a long list of *.ADM template files. Each includes a
set of options. I’d recommend opening the Windows.adm
That gives a lot of similarities to the Win95 version—with
to copy the Windows.adm
and Common.adm files into your C:\Windows\INF folder (note that this
may be hidden-- you'll need to turn on the option in Explorer/My
to Show All
it). After you do this, they will be loaded into Poledit98
Registry, and double-click on the Local User,
in the Win95 version above… you’ll see:
that the Network sharing items have been moved—opening up the
98 System items results in pretty much the same items as we
the Win95 version, though in a somewhat different order. At this point,
all can be done as described for the Win95 version.
also a bunch
of additional options in the other *.ADM files—and you can
one of these templates in operation at the same time. To open
templates, first close the current template, using the File/Closemenu
item. Then, go to the Options/Policy Templates menu
see the last template you used:
on the Add… button, to see the list of
templates, and choose
You can go back to the Add…dialogue box
as many times as
When you have the list of templates you want to use, click OK,
return to the File/Open Registrymenu item. After
adding the Shellm.adm
template to the Windows.adm template, for example,
how the Desktop, Start Menu, Shell, and
new—a result of the Shellm.admtemplate.
Some of these will be
use to Windows 98 users. I’m just going to highlight some of
items allow setting some restrictions to Active Desktop—the
make the Windows Desktop act like a web page, with HTML text and
appearing on the desktop and within Explorer and My Computer
Desktop gives the option of single-clicking rather than double-clicking
to run icons. (Personally, I don’t like Active Desktop, as
it’s a big
on system performance, and a distraction, but I’m a Windows
With these items, you can turn it off, or leave it on, but restrict
A nice feature of the Active Desktop Items setting
of desktop icons—too bad there’s no similar setting
in the Win95
or classic desktop options.
this item enables choices from a long list of controls—some
also available from TweakUI, or from Poledit95. For example, you can
off the Favorites, Find, Document, or Run items in
Menu. Or disable drag and drop editing of the Start Menu (which you
don’t want users to do!) Disabling changes to the Taskbar and
Settings may be useful for end users, but will also make it harder for
you to keep your Start Menus tidy.
items include ‘enable classic shell’, for the
(can you turn this on and Active Desktop at the same time? I
and the ability to restrict the File menu and right-click Context menus
in ‘Shell folders’ –in other words,
Explorer, and My Computer windows,
and the Desktop. You can use it to hide floppy drives in My
you might prefer using TweakUI for this.
only option here is to disable running in MSDOS mode.
opened all the included templates, one at a time, to see what each
The functions of most of the templates will seem pretty obscure for
users. (If you try this, remember that you need to close a session (File/Close)
prior to adding/removing templates). Here’s what
Apps.ini for Network installs
bunch of options for Microsoft Chat
apparent options (!)
Protocols; user: NetMeeting Settings
IE Security Zone settings; user: lots of IE-related
Language, modem, default Net program settings; user: IE
font, and general browser settings
Active Desktop/Shell/Start Menu/System settings
and system settings; user: network
control of IE5 and related files is important, I’d recommend
users load the Windows.adm and Shellm.adm
is a free program that
can be used for many of the settings accessed in Poledit: Windows
Control Panel, Network, Password, Display settings, etc. Settings can
saved to a file, for rapid network-wide deployment.
(Feel free to send me
other Poledit-related links that you think others might find useful)
party heard from...
Terry King of Vermont's Waits River Valley School wrote that he had
out how to set up a WIN95/98 network without any NT machines, but still
have a single shared version of system policies on a WIN95/98 server."
With his permission, I've posted his tips here.
about Windows 2000 or XP?
doesn't work with these versions of Windows. However, there's something
equivalent-- at least for Win2000 and XP Pro-- but not
for XP Home. From the Start Menu's RUN command, type: gpedit.msc
and the Group Policy program will start up. It
and works differently from Win9x's Poledit, but offers much the same
Give it a try!
must be logged on as a user with administrative priviledges).
NT 4.0 Workstation users can look in the 'Administrative Tools Common',
click on 'System Policy Editor', choose 'Open Registry' and then 'Local
User Policy'. thanks
Scaglione for this tip.
published a good overview on WinXP's GPEDIT in their September 7 2004
Home does not include
GPEDIT; XP Home users can apparently run this
program if they
access to files from an XP Pro (or possibly Win 2000?) installation, by
doing the following:
can now edit
the Group Policy
on the local machine. But XP Home doesn't support the same feature set
as XP Pro, so the policies you are looking for might be missing.
files gpedit.dll and
fde.dll from \WINDOWS\System32 on the XP Pro machine to
on the XP Home machine.
command prompt issue the
following commands on the XP Home machine: regsvr32
- Open the
Console (mmc.exe) and select File->Add/Remove Snap-in...
Then click Add. Select the Group Policy snap-in
from the list of installed
this, and can't vouch for it's usability.
A new tweak/Policy Editing tool:
Freebie Tweak and Tune
combines the best of Microsoft's TweakUI (for controlling user
interface settings) and Poledit (for security settings); works with Win
XP (and may work with earlier Windows versions as well). Recommended.
Windows XP users wanting to create a 'locked-down' shared
computer for public use (schools, libraries, Internet cafes, etc) may
want to take a look at Microsoft's Shared
Computer Toolkit for Windows XP: http://www.microsoft.com/windowsxp/sharedaccess/default.mspx
Article on Group Policies and Windows Vista:
Managing Windows Vista networking through Group Policy (March 13 2007,
Vista expert Jonathan Hassell explains how you can now use familiar
to manage everything from LAN settings to network security modes,
wireless capabilities and quality of service.
updated 13 March 2007