Using Poledit: Policy Editor to help secure Windows 95/98/ME computers

by Alan Zisman (c) 1999, 2003
By default, Windows 95/98/ME is not a secure environment. Users can log on without passwords, can mess with all sorts of system settings, and can have access to all the programs and data within reach.

Microsoft includes a powerful tool to help limit user access—the System Policy Editor, Poledit for short. Poledit is not installed as part of any Win95/98 setups, but is included on the Windows 95 and 98 CDs. On the Win95 CD, look in the D:\Admin\Apptools\Poledit folder (where D: is the drive letter for your CD drive). On the Win98 CD, look in the D:\Tools\Reskit\Netadmin\Poledit  folder.

Last time I checked, Microsoft still has the Win95  version of Poledit available for download somewhere on their cavernous website-- here....   The Win98/ME version is on their website at: www.microsoft.com/office/project/prk/utilities/SetupPol.exe

I have also posted both versions on my website-- click to download: Poledit95 and Poledit98. (You can use Poledit95 on Win98 systems). Double-click the exe files to uncompress them to the location of your choice- a folder or a floppy disk-- either will fit handily on a floppy diskette. Windows NT, 2000, and XP is a whole other story.

Before getting started with Poledit or any other security tool, think carefully about what you want to accomplish. Security always involves tradeoffs—keeping users from being able to do things also makes it more difficult for you to do things. And it’s easy to lock up systems so tight that users can’t accomplish tasks that they perhaps should be able to do.

It may be useful to consider how likely it is that users will actually cause damage if settings aren’t locked down, and compare that to the inconvenience caused to you and other legitimate users if these settings are locked down—a sort of cost-benefit analysis. There’s no single or simple answer to how much security provides the optimum tradeoff between convenience and protection—there will be different answers for different settings. 

Changes made with Poledit are global—they effect everyone using the machine with that log-in—if you’ve set policy options while logged into a Student profile, the machine restricts your actions just as much as it does a ‘real’ student. Personally, I don’t set up multiple user profiles—I do restrict a number of settings, which I’ll indicate down below—and since I just have a single profile, everyone—students, teachers, and I, is equally restricted. So I don’t turn off options that I need to access regularly—and I understand that if I need to access one of the restricted settings (for example, to reset wallpaper), then I need to re-run Poledit first to allow me access—and afterwards, I need to remember to turn the restriction back on. 

Note that the Win95 and 98 versions of Poledit are not identical—the 98 version potentially includes many more templates which load functions, most of which, however, are specific to Internet Explorer or other Microsoft Internet tools. As a result, the Win95 version is easier to use—we’ll look at it first. As well, as far as I can determine, the Win95 version works just fine with Win98 systems as well—so you may just choose to use that version. 

You can’t install Poledit into Windows using either the Windows setup or the Control Panel’s Add-Remove Programs/Windows Setup option. That’s because Microsoft, wisely in my opinion, doesn’t want typical users to be able to mess with it. You couldcopy the contents of the Poledit folder to the hard drives of your various computers—but don’t. If you copy it to a shared network drive, don’t make its location obvious. Better still—keep a copy on a floppy diskette, and run it from there—leaving no copy for your users to access. 

Note that use of Poledit can cause problems—read this document carefully, and pay attention to what you’re doing. Experimentation can end up with unwanted settings that can be very difficult to fix! Some people manage to effectively lock themselves out of their own computers-- and are forced to format the hard drive and reinstall from scratch. Consider yourself warned!
 

Poledit asks for a *.ADM file when first opened
Run Poledit by double-clicking the file Poledit.exe . The first time you run the Win95 version on each computer, it will start off by prompting you to open a *.ADM file—and will show the ones included in its folder.

 

Pick the only choice: Admin.adm.

Then, from the File menu, choose Open Registry. You’ll see: 
Poledit initial screen
Double-click on the Local User icon (There are a bunch of options for Local Computer—but they mostly affect network logon to Netware or NT servers—and few of them are items that I think you will need to reset, so I’m going to (mostly) ignore them in this discussion). 
When you open the Local User icon, you’ll get a window with a list of areas that can be controlled, with a [+] beside each area. Clicking on the [+] opens that area, showing further options. 
Local User Properties
Within each set, you will find a number of options that you can check off… when you’re done, click OK. As soon as you save your changes, using the File/Save menu option, the changes go into effect.

Important Note: If you are using multiple user logons, such as Teacher/student/etc, changes made to Local Useronly affect that single user/logon… if you make these changes while logged into the Teacher account, for example, you will need to do so again in order to affect the Student account.

Let’s look at the various user settings that can be controlled in this way: 

Control Panel-- Display

When you click on the [+] beside Control Panel, a list of five items opens up, with a [+] beside each… If you click on the first [+], beside Display, you still get no visible options—until you click to add a checkmark to [  ] Restrict Display Control Panel . Then you see the following options:
 

Display Control Panel properties
Clicking to add a checkmark beside one or more options in the bottom section offers the following: 
  • Disable Display Control Panel—turns off the entire item, both in the main Control Panel window, and if users try to access it by right-clicking on the Desktop, and choosing Propertiesfrom the popup menu. If  users try to access this item, they will see:
Restricted by administrator warning message
  • Hide Background Page—enables users to access this Control Panel, but hides this page, making users unable to set desktop 

Wallpaper and Pattern. Note that web browsers include a Save as Wallpaper item accessible by right-clicking on a Web graphic—with this option, users can still set, for example, a Pokemon picture as wallpaper—and it will be impossible to change back, without re-running Poledit. Despite this, I recommend that you set this option, after setting your choice of wallpaper.

  • Hide Screen Saver Page—similarly, the Desktop Control Panel can be accessed, but the Screen Saver page will be hidden. I recommend setting screen saver options as desired, then hiding the screen saver page.
  • Hide Appearance Page—this option disables users’ ability to change the colours used on title bars, and other Windows elements. Again, I recommend setting them to your choice, then hiding the Appearance page.
  • Hide Settings Page—this option disables users’ ability to change screen resolution and number of colours on-screen. I tend to leave this unchecked—some programs only run in 256 colours, while if you’re working with photographs, you probably want to be able to view more colours than this. Similarly, I have one nice freeware astronomy program that works best in 800x600 resolution, while most of the time, I prefer to leave systems in 640x480 resolution so I need to leave these options available—but if these are not issues for you, disable this as well. In fact, if you’re turning all of these pages off, do all at once by Disabling the Display Control Panel.

Control Panel-- Network

Again, these options only become visible when you open up the item, and click to add a checkmark to [x] Restrict Network Control Panel. If you do so, you get three options—the first, to remove access to the entire Control Panel item, and the other two, to limit access to its Identification, and Access Control pages. I recommend setting these items as desired, then clicking on the top item, to remove access to that entire item—there are no reasons for users to have access to it.

Control Panel—Passwords

Similarly, this item allows you to completely restrict access to the Passwords control panel, or to allow access to it, while removing access to its Change Passwords, Remote Administration, and User Profiles pages. Once again, I recommend setting these items as you require, then clicking on the first option, to eliminate access to the entire item,

Control Panel—Printers

This item does not let you remove access to the entire Printers control panel item… the first option turns off access to the General and Details pages—which would keep you from printing test pages, or setting a printer to a different port (for example, over your network). I find this access useful enough to me that I do not restrict access—it’s important to me to help troubleshoot printing problems.
The following two items restrict the ability to add and remove printers. I restrict users’ ability to delete printers, but leave the addition item alone—making it easy for me to add a new printer if needed.

Control Panel—System

I click to restrict all items on this list, although some might argue that access to the Device Manager page is vital in trouble-shooting hardware problems. Otherwise, there are no reasons for users to have access to any of these techie-oriented items.
Note: There is no Poledit setting to completely remove access to the Control Panel. Even with the maximum protection here, users still have access to a variety of other settings. None of the remaining settings should be able to completely disable a computer!

Desktop

This item shows you the set wallpaper and color scheme (if any). It can be used to reset the wallpaper after a student has used a web browser to change the wallpaper—by using the Browse button to locate your preferred wallpaper… but the change is only applied after restarting.

Network—Sharing

These items are different from the Control Panel—Network items, and allow you to remove access to the File and Printer sharing controls. (These are contained in the Network control panel, so I don’t know why they are listed separately!) Again, set these items as needed (remember, only turn on file or print sharing on computers that are actually giving access to resources to other computers across the network—do not turn them on for computers that are merely using shared resources from other machines) and then click these two items so users cannot fuss with these controls.

Shell—Custom Folders

I don’t use any of these restrictions—which allow you to change the default locations for installed programs (from C:\Program Files), and other standard settings. You may want to set these to other locations, perhaps on a shared network drive, for example—but I don’t!

Shell—Restrictions

These items give you the power to turn off a number of standard interface features, and are worth examining in more detail:

Local user restrictions dialogue box
  • Remove Run Command—removes this item from the Start Menu—I leave it, as I find it useful for me to use for quick, command-line-like access to programs and commands… you may prefer to remove it.
  • Remove folders from ‘Settings’ on Start Menu— removes the ability to set how My Computer and Explorer display folders. Check it!
  • Remove Taskbar from ‘Settings’… --removes the ability to edit Taskbar and Start Menu items. I strongly recommend not checking it—Most computers have very messy Start Menus, and it’s important to learn how to tidy this up, and keep it clean on an ongoing basis.
  • Hide Drives in ‘My Computer’—hides all the local and shared network drives. This makes it impossible for users to double-click on saved documents, although they can still find them using the File/Opencommand in applications. I recommend leaving it unchecked, though you may want to use the free TweakUI Control Panel add-in to limit access to the hard drive. 
  • Hide Network Neighborhood—if you don’t have a network, you may want to choose this, to remove one piece of clutter on the Desktop.
  • No ‘Entire Network’ in Network Neighborhood—if you have a classroom or lab network, and also have other workgroups in the school such as Office you really should apply this item… with it checked, there is no way that users can easily  move from their defined workgroup to access shared resources in a different workgroup—keep the kids out of the office files. If you have a classroom network, apply this restriction right away—before some kid erases all the student records in the office!
  • No workgroup contents in Network Neighborhood— this would limit users to mapped network drives and pre-set network printers. I like having access to shared resources that aren’t already mapped, but if you have such resources and have problems with curious kids, you may want to restrict access in this way.
  • Hide all items on Desktop—I suppose some people would like to hide My Computer, Network Neighborhood, the Recycle Bin, and any other icons on the desktop, leaving just the Start Menu and Taskbar…
  • Disable Shut Down command—I can’t imagine using this… Windows systems need to be shut down and restarted from time to time (I’d recommend at least weekly) to restore resources.
  • Don’t Save Settings at Exit—I like this one… get the Desktop the way you want it, then apply this restriction. That way, if users move icons around, when the system restarts, they’re back the way you wanted them. I don’t think this will help if users rename or delete icons on the desktop, however.

System—Restrictions

A collection of low-level restrictions.
  • Disable Registry editing tools—disallows use of tools such as Regedit to make basic changes to the system… some people have had trouble after using this—being then unable to run Poledit again to make changes to settings… in effect, locking themselves out of their own system. While Regedit is powerful and potentially dangerous, I’d be very careful before turning on this restriction… in fact, despite the dangers of not restricting it, I can’t recommend that you check this item.
  • Only run allowed Windows applications—if you really want to control what users have access to, this is for you! You add (one at a time) the applications that allowable, and all others won’t run… it’s not clear, however, how you add an application—none are listed, by default, and there’s no browse button. Besides, if an application doesn’t show up in the Start Menu, and you’ve turned off access to the Run command, and perhaps to some of the drives (using TweakUI), is anyone really going to access other applications?
  • Disable MS-DOS prompt—do you have kids that get around your restrictions by going to a DOS prompt to explore the system or delete files? If so, you can restrict access to the DOS prompt. If not, don’t bother!
  • Disable single-mode MS-DOS applications—some older DOS programs, particularly some older games, will only run if they restart the system in so-called MS-DOS mode. This item keeps that from happening.

Setting up a bunch of machines

So, the process is to set all the items you want to restrict, click OK, and save changes. Obviously, repeating the process for a bunch of computers can be incredibly tedious.
Instead, set up a single computer the way you want, save the changes—which applies them to the Registry. Then use the File Menu, and choose Open File—you’re looking for a *.POL Policy file. (In Win95, you’ll find a couple of these on the CD in a different folder—D:\Admin\Reskit\Sample\Policies—open Standard.pol). Once again, make the changes you want, then choose Save As (you can’t save to the CD drive!), saving to the floppy disk where you have your copy of Poledit, for example.
Now you can go to each computer, open Poledit, and using the File/Open File menu item, open your saved policy file. This will apply it to the new computer.

Saving your butt!

In preparing this handout, I managed to do what I’d warned about—by opening the file Maximum.pol instead of Standard.pol , I’d managed to save settings where Disable Registry Editing Tools had been applied, along with a number of other settings I didn’t want… but I couldn’t load Poledit to turn those settings off! Here’s what I did (thanks to the very useful, though geeky, book: ‘The Windows 98 Registry: A Survival Guide for Users” by John Woram).
Create and save a text file as: C:\Recover.reg, that consists of the following text:
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 
"RestrictRun"=dword:00000000 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] 

"DisableRegistryTools"=dword:00000000 

Boot to a DOS prompt (press F8 as soon as you see the ‘Starting Windows 95’ message, and choose Command Prompt from the boot menu), and at the C: prompt, type: 

Regedit Recover.reg 

This will load the contents of this file into the System Registry, turning off the two lines that restrict access to the Registry editing tools. From there, restart Windows, run Poledit, and remove any other unwanted settings… a real life-saver—thank you John Woram! 

Something from the Computer icon

Near the beginning of this article, I suggested that the contents of the Computer icon was mostly aimed at network users... and that most of us didn't need to ever go there. Well, I finally found something I needed there! It was, however, network-oriented-- so if you have a stand-alone computer, you don't need to read any further in this section.
If you have a network, even a peer-to-peer home, school, or small office network, when you try to access a shared, but password-protected network resource (typically a drive, folder, file, or printer), you're faced with a log-on screen... all that's fine except that the default is to save the password. If you don't manually turn off that option, you won't be asked for the password again when you access that resource. While this may seem convenient, it completely defeats the purpose of password-protecting the resource, as anyone sitting down at your computer now has free rein of the shared resource, whether they know the password or not! 
To change this, run Poledit 95 (opening Admin.adm), click on the File/Registry menu (as described above)-- but instead of opening the User icon, double-click on the Local Computer icon. Open the Network section, then Passwords, and check the option to Disable Password Caching. After saving your changes, when you access password-protected network resources, the log-in dialogue box will no longer have an option to remember the password. (Thanks to Vancouver teacher Luigi Tallarico for this tip!)

Poledit for Windows 98

This version of Poledit is somewhat more awkward to access—when first started, it displays a long list of *.ADM template files. Each includes a different set of options. I’d recommend opening the Windows.adm template file. That gives a lot of similarities to the Win95 version—with some additional options. 

You may want to copy the Windows.adm and Common.adm files into your C:\Windows\INF folder (note that this folder may be hidden-- you'll need to turn on the option in Explorer/My Computer to Show All Files to access it). After you do this, they will be loaded into Poledit98 automatically.

Again, choose File/Open Registry, and double-click on the Local User, icon, as described in the Win95 version above… you’ll see:
 

Opening Poledit-98
Notice that the Network sharing items have been moved—opening up the lower Windows 98 System items results in pretty much the same items as we saw in the Win95 version, though in a somewhat different order. At this point, all can be done as described for the Win95 version. 


There are also a bunch of additional options in the other *.ADM files—and you can have more than one of these templates in operation at the same time. To open additional templates, first close the current template, using the File/Closemenu item. Then, go to the Options/Policy Templates menu item. You should see the last template you used: 
Policy Template Options
 Click on the Add… button, to see the list of templates, and choose another. You can go back to the Add…dialogue box as many times as desired. When you have the list of templates you want to use, click OK, and return to the File/Open Registrymenu item. After adding the Shellm.adm template to the Windows.adm template, for example, I saw:
Local user properties
 Notice how the Desktop, Start Menu, Shell, and System items are new—a result of the Shellm.admtemplate. Some of these will be of use to Windows 98 users. I’m just going to highlight some of the uses:
 

Desktop

These items allow setting some restrictions to Active Desktop—the ability to make the Windows Desktop act like a web page, with HTML text and graphics appearing on the desktop and within Explorer and My Computer views. 

Active Desktop gives the option of single-clicking rather than double-clicking to run icons. (Personally, I don’t like Active Desktop, as it’s a big drain on system performance, and a distraction, but I’m a Windows conservative). With these items, you can turn it off, or leave it on, but restrict changes. A nice feature of the Active Desktop Items setting disables deletion of desktop icons—too bad there’s no similar setting in the Win95 Poledit or classic desktop options.

Start Menu

Clicking this item enables choices from a long list of controls—some of which are also available from TweakUI, or from Poledit95. For example, you can turn off the Favorites, Find, Document, or Run items in the Start Menu. Or disable drag and drop editing of the Start Menu (which you probably don’t want users to do!) Disabling changes to the Taskbar and Start Menu Settings may be useful for end users, but will also make it harder for you to keep your Start Menus tidy.

Shell

These items include ‘enable classic shell’, for the pre-Active Desktop interface (can you turn this on and Active Desktop at the same time? I don’t know!), and the ability to restrict the File menu and right-click Context menus in ‘Shell folders’ –in other words, Explorer, and My Computer windows, and the Desktop. You can use it to hide floppy drives in My Computer—though you might prefer using TweakUI for this.

System

The only option here is to disable running in MSDOS mode.

Other *.Adm Templates

I’ve opened all the included templates, one at a time, to see what each includes. The functions of most of the templates will seem pretty obscure for most users. (If you try this, remember that you need to close a session (File/Close) prior to adding/removing templates). Here’s what I’ve found:
Appsini.admcomputer: Use Apps.ini for Network installs
Chat.adm—user: A bunch of options for Microsoft Chat
Common.adm—no apparent options (!) 
Conf.adm—computer: NetMeeting Protocols; user: NetMeeting Settings 
Inetresm.admcomputer: IE Security Zone settings; user: lots of IE-related settings 

Inetsetm.adm—computer: Language, modem, default Net program settings; user: IE colour, font, and general browser settings 

OEM.adm—user: Mail/News settings 

Shellm.adm—user: Active Desktop/Shell/Start Menu/System settings 

Subsm.admuser: IE subscription settings 

Windows.adm—computer: Network and system settings; user: network sharing/Shell/Control Panel/Desktop/Restrictions settings. 

Unless control of IE5 and related files is important, I’d recommend that most users load the Windows.adm and Shellm.adm templates.

A freebie:
Deskset (http://www.winsite.com/bin/Info?16500000036770) is a free program that can be used for many of the settings accessed in Poledit: Windows Update, Control Panel, Network, Password, Display settings, etc. Settings can be saved to a file, for rapid network-wide deployment.

More reading...

(Feel free to send me other Poledit-related links that you think others might find useful)

Another party heard from...

Teacher Terry King of Vermont's Waits River Valley School wrote that he had "figured out how to set up a WIN95/98 network without any NT machines, but still have a single shared version of system policies on a WIN95/98 server." With his permission, I've posted his tips here

What about Windows 2000 or XP?
 

gpedit.msc for Win2000/XP Pro
Poledit doesn't work with these versions of Windows. However, there's something equivalent-- at least for Win2000 and XP Pro-- but not for XP Home. From the Start Menu's RUN command, type: gpedit.msc and the Group Policy program will start up. It looks different, and works differently from Win9x's Poledit, but offers much the same abilities. Give it a try!


 

(You must be logged on as a user with administrative priviledges).  Windows NT 4.0 Workstation users can look in the 'Administrative Tools Common', click on 'System Policy Editor', choose 'Open Registry' and then 'Local User Policy'. thanks to Charles Scaglione for this tip.

PC Magazine published a good overview on WinXP's GPEDIT in their September 7 2004 issue:
http://www.pcmag.com/article2/0,1759,1633790,00.asp

Windows XP Home does not include GPEDIT; XP Home users can apparently run this program if they have access to files from an XP Pro (or possibly Win 2000?) installation, by doing the following:

  • Copy the files gpedit.dll and fde.dll from \WINDOWS\System32 on the XP Pro machine to \WINDOWS\System32 on the XP Home machine.
  • From a command prompt issue the following commands on the XP Home machine: regsvr32 C:\WINDOWS\System32\gpedit.dll

    • regsvr32 C:\WINDOWS\System32\fde.dll
  • Open the Microsoft Management Console (mmc.exe) and select File->Add/Remove Snap-in... Then click Add. Select the Group Policy snap-in from the list of installed snap ins.
You can now edit the Group Policy on the local machine. But XP Home doesn't support the same feature set as XP Pro, so the policies you are looking for might be missing.

Note: I haven't tested this, and can't vouch for it's usability.
-- AZ

A new tweak/Policy Editing tool:

Freebie Tweak and Tune (http://www.acelogix.com/freeware.html) combines the best of Microsoft's TweakUI (for controlling user interface settings) and Poledit (for security settings); works with Win XP (and may work with earlier Windows versions as well). Recommended.

Windows XP users wanting to create a 'locked-down' shared computer for public use (schools, libraries, Internet cafes, etc) may want to take a look at Microsoft's Shared Computer Toolkit for Windows XP: http://www.microsoft.com/windowsxp/sharedaccess/default.mspx

Article on Group Policies and Windows Vista:

Managing Windows Vista networking through Group Policy (March 13 2007, 12:00AM)

Vista expert Jonathan Hassell explains how you can now use familiar tools
to manage everything from LAN settings to network security modes, wireless capabilities and quality of service.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9012980

-- last updated 13 March 2007
Alan Zisman is a Vancouver educator, writer, and computer specialist. He can be reached at E-mail Alan

Google

Search WWWSearch www.zisman.ca