JSI Tip 0050 - Locking down that desktop.

Desktop restrictions can be implemented by editing the following Explorer values in the registry: (all values default to 0)

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer

NoCommonGroups REG_DWORD
set it to 1 so that common program groups do not appear on the Start menu.

NoDesktop REG_DWORD
set it to 1 to hide all desktop icons.

NoDrives REG_DWORD
The low order (right most) bit is drive A: while the 26th bit is Drive Z:
To hide a drive, turn on its' bit. These drives will still appear in File Manager. To remove File Manager, delete winfile.exe.
If your not happy working in Hex, add these decimal number to hide the drive(s):
A: 1, B: 2, C: 4, D: 8, E: 16, F: 32, G: 64, H: 128, I: 256, J: 512, K: 1024, L: 2048, M: 4096, N: 8192, O: 16384, P: 32768, Q: 65536, R: 131072, S: 262144, T: 524288, U: 1048576, V: 2097152, W: 4194304, X: 8388608, Y: 16777216, Z: 33554432, ALL: 67108863

NoFileMenu REG_DWORD
If set to 1, the File menu in Explorer is removed.

NoFind REG_DWORD
set it to 1 to remove the Find command from the Start Menu.

NoNetConnectDisconnect REG_DWORD
A value of 1 removes the "Map Network Drive" and Disconnect Network Drive menu and right click options.

NoNetHood REG_DWORD
Set it to 1 to remove the Network Neighborhood icon and prevent network access from explorer (it will still work from a command prompt).

NoRun REG_DWORD
If set to 1, the Run command is removed from the Start menu.

NoSetFolders REG_DWORD
Set it to 1 to hide Control Panel and Printers and My Computer in Explorer and on the Start Menu.

NoSetTaskbar REG_DWORD
If set to 1, only Drag and Drop can be used to alter the Start Menu and Desktop. The Taskbar does not appear on the Start Menu.

NoTrayContextMenu REG_DWORD
If set to 1, menus do not display upon right click of the taskbar, start button, clock, or taskbar application icons. The entry is only available for NT 4.0 with SP 2 or greater.

NoViewContextMenu REG_DWORD
If set to 1, menus do not display upon right click of the desktop or Explorer's results pane. The entry is only available for NT 4.0 with SP 2 or greater.

RestrictRun REG_DWORD
Set it to 1 and only programs that you define at:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRestrictRun
can be run on the Workstation. See tip 362.

NoClose REG_DWORD
Set it to 1 to remove the ShutDown button from the Start Menu. This does not disable shutdown from CTRL+ALT+DEL. To totally disable a users ability to shutdown, remove the "advanced" right to "Shutdown the System" from Policies/User Rights of User Manager for Domains.

To really lock down the desktop, replace the Explorer or Progman shell with your own launcher. Navigate to HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon and edit the Shell Value Name, replacing the current .exe (normally Explorer.exe) with YourOwnLauncher.exe. See "Restricting system features ..." on a subsequent Tips page.

See Tip 070, Tip 215, Tip 797, Tip 958, and Tip 1241 for more.
See Tip 105 for how to set this for other users.