When you double-click the Default Computer icon in System Policy Editor, a list of system policy options for settings that apply to the computer appears. This section describes these options.
Within this category of options, you can restrict the user’s ability to share files and printers. Typically, you might want to set these policies to apply when file and printer sharing services are installed but when you do not want users to change which resources are shared on their computers. Table 8.6 describes the system policies you can apply to file and printer sharing.
Table 8.6 User policies restricting access to file and printer sharing
| Option | Description | |
|---|---|---|
| Sharing | ||
| Disable file sharing controls | Removes the Sharing properties from directories in Windows Explorer. | |
| Disable print sharing controls | Removes the Sharing properties from the Printer directory. | |
Table 8.7 describes the system policies you can apply to folders and user interface options.
Table 8.7 User policies restricting access to shell settings
| Option | Description |
|---|---|
| Custom Folders | |
| Custom Programs Folder | Customizes the contents of the Programs directory. You must also type a path for the directory containing complete files or LNK files that define the Programs directory items. |
| Custom Desktop Icons | Customizes desktop icons. You must also type a path for the directory containing complete files or LNK files that define the desktop shortcuts. |
| Hide Start Menu subfolders | Check this when you use a custom Programs folder. Otherwise, two Programs entries will appear on the user’s Start menu. |
| Custom Startup Folder | Customizes the contents of the Startup directory. You must also type a path for the directory containing complete files or LNK files that define the Startup directory items. |
| Custom Network Neighborhood | Customizes the contents of Network Neighborhood. You must also type a path for the directory containing complete files or LNK files that define the Network Neighborhood items. |
| Custom Start Menu | Customizes what is listed on the Start menu. You must also type a path for the directory containing complete files or LNK files that define the Start menu items. |
| Restrictions | |
| Remove ‘Run’ command | Prevents access to the Run command on the Start menu. |
| Remove Folders from ‘Settings’ on Start Menu | Prevents access to any item listed under Settings on the Start menu. |
| Remove Taskbar from ‘Settings’ on Start Menu | Prevents access to the Taskbar item listed under Settings on the Start menu. |
| Remove ‘Find’ command | Prevents access to any item listed under Find on the Start menu. |
| Hide Drives in ‘My Computer’ | Prevents display of drives in My Computer. |
| Hide Network Neighborhood | Prevents access to Network Neighborhood. |
| No ‘Entire Network’ in Network Neighborhood | Prevents access to the Entire Network icon in Network Neighborhood. |
| No workgroup contents in Network Neighborhood | Prevents workgroup contents from being displayed in Network Neighborhood. |
| Hide all items on Desktop | Prevents access to all items on the desktop. |
| Disable Shut Down command | Prevents access to the Shut Down command on the Start menu; displays explanation in a dialog box. |
| Don’t save settings at exit | Prevents settings from being written to the file system. |
The system policies in this category restrict the use of registry editing tools, applications, and MS-DOS- based applications. Table 8.8 describes the policies you can set within this category.
Table 8.8 User policies restricting access to system settings
| Option | Description | |
|---|---|---|
| Restrictions | ||
| Disable registry editing tools | Prevents users from running registry editing tools. | |
| Only run allowed Windows applications | Prevents users from running any Windows-based applications except those that are listed. Click Show to define the allowed applications. | |
| Disable MS-DOS prompt | Prevents access to the MS-DOS prompt. | |
| Disable single-mode MS-DOS applications | Prevents users from running MS-DOS- based applications in MS-DOS mode. | |
This category of options includes system policy settings for the following:
These system policies are applied to the computer and are stored in System.dat. Table 8.9 describes the system policies you can set in this category.
Table 8.9 Computer policies restricting access to network settings
| Option | Description | |
|---|---|---|
| Access Control | ||
| User-level access control | Enables user-level security on the local computer using pass-through logon validation by a Windows NT or a NetWare server. You must specify the server or domain, and the type of authenticator for validation. | |
| Logon | ||
| Logon Banner | Allows you to specify text for a caption and other text to be displayed in a logon banner. | |
| Require validation from network for Windows access | Each logging on must be validated by a server before access to Windows is allowed. This policy has no effect on a portable computer after it is undocked. | |
| Don’t show last user at logon | The user name field will be blank in the network logon screen. | |
| Don’t show logon progress | Disables the display of the logon progress dialog. | |
| Password | ||
| Hide share passwords with asterisks | Replaces characters with asterisks when users type passwords to access a shared resource. Applies to share-level security only; this setting is on by default. | |
| Disable password caching | Prevents saving passwords. (Notice that the user cannot successfully use the Quick Logon feature for Microsoft networks if password caching is disabled.) | |
| Require alphanumeric Windows password | Requires that the Windows password contain a combination of letters and numbers. | |
| Minimum Windows password length | Requires that the Windows logon password has at least the specified number of characters. | |
| Proxy Server | ||
| Disable automatic location of proxy server | Prevents Windows 98 from checking with the Dynamic Host Configuration Protocol (DHCP) server for the presence of a proxy server. | |
| Microsoft Client for NetWare Networks | ||
| Preferred server | Allows you to specify the name of the NetWare network server this computer should log on to first. | |
| Support long file names | Allows support for long file names. The values are 0 (no support for long file names on NetWare servers), 1 (support on NetWare servers version 3.12 and later), and 2 (support if the NetWare server supports long file names). | |
| Disable automatic NetWare login | Specifies that Windows 98 should not first silently use the user’s name and password to attempt to connect to a NetWare server, which is the default behavior. | |
| Microsoft Client for Windows Networks | ||
| Log on to Windows NT | Specifies that this computer can participate in a Windows NT domain. Type the name of the domain. If this option is checked, the next two options are also available. | |
| Display domain logon confirmation | Displays a message when the domain controller has validated user logon. | |
| Disable caching of domain password | Specifies that no caching is used for the network password. | |
| Workgroup | Specifies that this computer can participate in a workgroup. Type the name of the workgroup. | |
| Alternate Workgroup | Specifies that an alternate workgroup must be defined to see Microsoft peer servers in other workgroups if your workgroup does not have any computers running File and Printer Sharing for Microsoft Networks (that is, they all run File and Printer Sharing for NetWare), but the computer runs a Microsoft network client. The workgroup specified should include at least one computer running File and Printer Sharing for Microsoft Networks. | |
| File and Printer Sharing for NetWare Networks | ||
| Disable SAP Advertising | Disables the Service Advertising Protocol (SAP). This computer will not advertise its presence, and NETX or VLM clients cannot see it or connect to it | |
| File and Printer Sharing for Microsoft Networks | ||
| Disable file sharing | Prevents file sharing over a network. | |
| Disable print sharing | Prevents printer sharing over a network. | |
| Dial-Up Networking | ||
| Disable dial-in | Prevents dial-in connections to the computer. | |
| Update | ||
| Remote Update | Defines how system policies will be updated. If this option is selected, the next four options are also available. | |
| Update Mode | Determines whether system policies are downloaded automatically (the default) or manually. | |
| Path for manual update | Specifies the UNC path and file name for manual downloading of system policies. | |
| Display error messages | When a user logs on, if the system policy file is not available, displays an error message. | |
| Load-balance | For Windows NT networks, allows Windows 98 to look for policy files on the logon domain. | |
This category of options includes system policy settings for the network path for setup and user profiles. Table 8.10 describes the system policies you can set within this category.
Table 8.10 Computer policies restricting access to system settings
| Option | Description |
|---|---|
| Enable User Profiles | Enables basic user profiles functionality. |
| Network path for Windows Setup | Defines the network or local location of the Windows 98 Setup program and files. You must also type a UNC or local path for the setup directory. |
| Network path for Windows Tour | Defines the network location of the Windows 98 Tour program. You must also type a UNC path ending with Discover.exe. |
| Communities | Specifies one or more groups of hosts to which this computer belongs for purposes of SNMP administration. These are the communities that are allowed to query the SNMP agent. |
| Permitted managers | Specifies Internet protocol (IP) or Internetwork Packet Exchange (IPX) addresses allowed to obtain information from an SNMP agent. If this policy is not checked, any SNMP console can query the agent. |
| Traps For ‘Public’ community | Specifies trap destinations, or IP or IPX addresses of hosts in the public community to which you want the SNMP service to send traps. For more information about sending traps to other communities, see Chapter 23, "System and Remote Administration Tools." |
| Internet MIB (RFC 1156) | Allows you to specify the contact name and location if you are using Internet MIB. |
| Run | Defines applications and utilities to run when the user logs on. Click Show to specify items to run. |
| Run Once | Defines applications and utilities to run once when the user logs on. Click Show to specify items to run. (See comment below.) |
| Run Services | Defines services to run at system startup. Click Show to specify items to run. |
| Digital Signature Check | Allows you to specify how to handle installation of non-Microsoft signed drivers. |
| Disable Windows Update | Removes the Windows Update shortcut from the Start menu and prevents access to the Windows Update Web site |
| Override Local Web Page | Allows you to specify a path to a local Web page that is displayed when a user clicks on a Windows Update shortcut before connecting to the Internet with the Internet Connection Wizard. |
| Override Windows Update Site URL | Allows you to specify the URL of a site your users will access in place of the Windows Update Web site. |
You can set the Run Once system policy to set values in the Run Once registry key, allowing any executable file to be run just once after a user logs on to the computer. After the related program is started, its name is removed automatically from the registry so it does not run again. However, if you leave this option selected in the policy file, every time the user logs on, that executable name will be placed in the Run Once registry key to be run again. To ensure that the executable runs only once, select the policy only long enough to be downloaded once into the user’s registry. Then the policy must be cleared or changed so the same Run Once entry does not run the next time the user logs on.