Preparing to Use System Policies

System policies offer you a powerful mechanism for increasing control and manageability of computers across the network. With system policies, you can do the following:

Restrict access to Control Panel options.
Restrict what users can do from the desktop.
Customize parts of the desktop.
Configure network settings.

For example, you can preset a user’s environment so that the MS-DOS prompt or unapproved applications are not available. You can choose from the set of system policies offered by Windows 98 or create custom system policies.

Important

You need to make some decisions about the default set of system policies before installing Windows 98. For more information, see Part 1, "Deployment and Installation," of the Microsoft Windows 98 Resource Kit.

The system policy entries you set through System Policy Editor are reflected in the policy file (Config.pol), which overwrites default User.dat and System.dat settings in the registry when the user logs on. Policy entries change registry settings in the following ways:

Desktop settings modify the HKEY_CURRENT_USER key in the registry, which defines the contents of User.dat. All policy settings affecting User.dat are defined for a specific user or for the default user.
Logon and network access settings modify the HKEY_LOCAL_MACHINE key in the registry, which defines the contents of System.dat. All policy settings affecting System.dat are defined for a specific computer or for the default computer.

Figure 8.1 shows how these settings are interrelated.

Figure 8.1 How policy settings are interrelated

To use System Policy Editor, first install it from the Windows 98 compact disc. The System Policy Editor consists of the following files. Poledit.exe, Poledit.inf, Windows.adm, and Common.adm. Other sample templates are provided but not required. Poledit.inf, Windows.adm, and Common.adm are placed in the Inf subdirectory of the Windows directory. Place Config.pol in a secure network location. Any custom templates you create use the ADM file name extension.

To install System Policy Editor

In Control Panel, double-click Add/Remove Programs, click the Windows Setup tab, and then click Have Disk.
In the Install From Disk dialog box, click Browse and specify the Netadmin\Poledit directory on the Microsoft Windows 98 Resource Kit compact disc.
Click OK, and then click OK again in response to the dialog boxes.
In the Have Disk dialog box, select the System Policy Editor check box, and then click Install.

If you want to enable group policies support, place Grouppol.dll in the System subdirectory of the Windows directory on each client computer. In addition, you must make some changes to the registry on each computer to use Grouppol.dll.

You can install group policies during Setup using a batch install script or at any time using the Add/Remove Programs option of Control Panel. Once group policies have been enabled, they are no longer displayed as an option in Add/Remove Programs.

To install group policies

In Control Panel, double-click Add/Remove Programs, click the Windows Setup tab, and then click System Tools.
Select the checkbox for Group Policies, click OK, and then click OK again.

Important

System policies are based on the content of the registry and cannot be edited with a text editor. To define and manage system policies, use System Policy Editor and other supporting tools.

You can, however, use a text editor to edit the template files used by System Policy Editor, as described in "Using System Policy Templates" later in this chapter. If you want to use system policies, perform the following preliminary steps:

On the administrator’s computer, install System Policy Editor from the Netadmin\Poledit directory on the Microsoft Windows 98 Resource Kit compact disc. Decide which users can install and have access to this tool for modifying policies. You probably will not install System Policy Editor on most client computers.
On the client computers, enable user profiles to ensure full support for system policies. If user profiles are not enabled, only the computer settings in any system policy will be written to the registry.
Install support for group policies on the client computers if your site will use these. For more information, see "Using System Policy Editor" later in this chapter.

How System Policies Work

When the user logs on, Windows 98 checks the user’s configuration information for the location of the policy file. Windows 98 then downloads the policies and copies the information into the registry by using the following process:

If user profiles are enabled, Windows 98 checks for the Config.pol file and parses it for the user and group names it contains. If it finds user information for this user, Windows 98 applies the user-specific policy. If it does not find the user in the Config.pol file, Windows 98 applies the Default User policy.
If support for group policies has been installed on the computer, Windows 98 checks whether the user is registered as a member of any groups. If so, group policies are downloaded starting with the lowest-priority group and ending with the highest-priority group. Group policies are processed for all groups the user belongs to. The group with the highest priority is processed last so that the settings in that group’s policy file supersede those in lower-priority groups. Group policies are not applied if policies have been defined for a specific user. Then, all settings are copied into the User.dat portion of the registry.
Windows 98 checks for the Config.pol file that contains information for this computer. If one exists, Windows 98 applies the computer-specific policies to the user’s desktop environment. If a policy for that computer does not exist, Windows 98 applies the default computer policy. This data is then copied into the System.dat portion of the registry.

By default, Windows 98 automatically attempts to download computer and user policies from the Netlogon directory on a Windows NT server or the Public directory on a NetWare server. This default location can be overridden in a policy file setting. If no server is present, Windows 98 uses the settings currently on the computer unless a manual update path for a policy is specified in the system registry.

System Policies for Users

You can manage user settings in system policies only if user profiles are enabled on the target computer. System Policy Editor uses the properties for Default User to define the default policies in the following areas:

Control Panel.

Set policies to prevent the user from accessing such Control Panel features as network, password, or system settings.

Desktop.

Set policies to use standard wallpaper and color schemes.

Network.

Set policies to restrict peer resource sharing or to specify networking components and settings.

Shell.

Set policies to customize folders on the desktop and to restrict changes to the user interface.

System.

Set policies to restrict the use of registry editing tools, applications, and MS-DOS-based applications.

You can apply these policies to the default user, to specific named users, or to groups of users. For more information about the settings for each of these categories, see "System Policy Settings Summary" later in this chapter.

System Policies for Computers

You can use System Policy Editor to define settings for a default computer or for specific named computers. The default computer settings are used when no explicit computer specific policy has been configured.

Computer settings in system policies prevent users from modifying the hardware and environment settings for the operating system, ensuring that Windows 98 starts in a predictable way. You can set options to restrict access to computer-specific system and network features, as described in "System Policy Settings Summary" later in this chapter.

Internet Explorer Browsing Software System Policies

Windows 98 includes seven policy files, listed in Table 8.1, that contain settings for various components of the Internet Explorer browsing software. You can use these settings to control such things as the look of the Active Desktop and the Internet Explorer browsing software, and to specify the default security zone for Outlook Express HTML messages. For information about the Internet Explorer browsing software, see Chapter 20, "Internet Access and Tools" and Chapter 6, "Configuring the Active Desktop and Active Channels."

Table 8.1 Internet Explorer browsing software policy files

File Name	User Policy	Computer Policy

Chat.adm	Settings for Chat
Conf.adm	Settings and restrictions for NetMeeting	Settings for NetMeeting protocols
Inetres.adm	Restrictions for Internet Explorer browsing software	Settings for Internet Explorer browsing software security and code download
Inetset.adm	Settings for Internet Explorer browsing software	Settings for Internet Explorer browsing software
Oe.adm	Settings for Outlook Express
Shell.adm	Settings and restrictions for the Active Desktop

Note

You can also control Internet Explorer browsing software settings using the IEAK Profile Manager, which can be installed from the Microsoft Windows 98 Resource Kit compact disc. For information about the IEAK Profile Manager, see Chapter 6, "Configuring the Active Desktop and Active Channels" and Chapter 20, "Internet Access and Tools."