Access Denied: Limiting User Access from the Desktop

We maintain a locked-down desktop environment with restricted access to the file system. We don't want users to be able to browse shares on their local drives. However, users can still open Microsoft Internet Explorer (IE) and type

\to browse shares on network machines andC:to view local files. Can we close these holes?

Yes. You must edit the NoRun value (of type DWORD) in the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer or HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer registry subkey. (Changes you make to values in the HKEY_CURRENT_USER key apply to a specific user account; changes you make to values in the HKEY_CURRENT_MACHINE key apply to anyone who logs on to the machine.) If you set NoRun to 1, the Start menu's Run command no longer appears and IE no longer lets users access local files, browse server shares, or use Universal Naming Convention (UNC) paths. If a user tries to violate these restrictions, IE responds with a message such as Access to the resource c:boot.ini has been disallowed. For information about these settings, see the Microsoft article "How to Limit User Access to Local Computer or Hard Disks with Internet Explorer 4.01."

If your workstations are running Windows XP Professional Edition or Windows 2000 Professional and are members of an Active Directory (AD) domain, you can use Group Policy to achieve your goals. Open a Group Policy Object (GPO), go to User ConfigurationAdministrative TemplatesStart Menu & Taskbar, and enable Remove Run menu from Start menu.

See also, my post "Access Denied: Limiting Access to Users at the Forest and Domain Levels," August 2002.