Re: how to remove taskbar ?

steves,

Thanks for sharing your experience. I re-read Sean Liming's "Different
Shells for Different Users" and this actually is easy to implement and it
appears that I don't have to mess around with Group Policy which will be
nice. I just started up c:\windows\system32\cmd.exe as an example and the
system seems to behave as I would want. I don't think I need the Global
Keyboard lockdown hooks. The problems at first glance it that there is no
easy way to return the kiosk user to an Explorer shell, although I guess I
could start a batch file that asks this quesion. I am wondering if there is
a way to start more than one application if you want. I tried to put an
extra application in group policy for startup but it did not start. Does
group policy apply to this limited shell ?

Thanks, Eric

"steves" wrote:

ecoulson,

I haven't done the multiple user shells in a while, but your scenarios
seem reasonable.

Basically the point of making users have a different shell is that ONLY
your shell application runs, replacing internet explorer. This
completely gets rid of the taskbar, and basically disables desktop
interactions. This provides the most secure environment possible.
(Also look into disabling the Task Manager).

We ended up not using this idea because some IDE components used in our
system apparently require explorer to be running. (File browser windows
maybe?). I didn't have time to fully explore or understand this. Be
sure to test your application fully when logged in as a limited user.
You can easily get surprised if you never login as the limited user.

ecoulson wrote:
Hi Sean,

Are you referring to your article on changing 3 keys in the registry. I
browsed that article and I am not sure if I understand it. I didn't have
some of the keys it mentioned such as "shell". Am I supposed to create them
if they are not there ?

As far as creating the 'shell' key if it doesn't exist, yes that is
what you have to do.

Or are you suggesting creating the custom shell as
part of the XPE image, but them I don't under stand how to implement it per
user - or per non-admin user ?

It is important to understand the differences between HKCU
(HKEY_CURRENT_USER) and HKLM (HKEY_LOCAL_MACHINE) branches of the
registry. The former settings applies only to the current user, and
the latter applies to all users. Implementing the per-user shells
requires a change to HKLM to enable it, and then a change for Every
user to configure that.
If users are going to be created dynamically by the customers, then you
also need a mechanism that will invoke those changes automatically on
newly created users, perhaps a login script, or changes to the
HKEY_USERS\.DEFAULT branch of the registry.

How does the local GroupPolicy and software restrictions relate to a non
explorer based shell ? Do I need them ? I think the tricky part is I need
one behavior for admins and one for users. This complicates things.

That's a good question! I would guess that any policies that are
implemented under keys such as
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer will
not apply, since explorer is not running.

However, I do remember that we had successfully implemented a separate
shell, including the disabled task manager (below) it is not under an
Explorer branch of the registry.

The following .reg file will disable task manager:

**** BEGIN REG FILE *****
;Disable_Task_Mgr.Reg
;
;Requirements: Needs ADMIN logon.
;
; Prevents 'Ctrl-Alt-Delete' from bringing up task manager,
; thereby completely locking down the sytem. The combination of
; setting the I3system user shell to a custom app and disabling
TaskMan
; prevents a user from starting explorer, or any other tasks.
;
; After this key is set the only way to get out of the I3SYstem user
; is to logoff, and then logon as administrator. Use the 'Enable_
; TaskMgr.reg' file to remove this restriction.
;
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000001
**** END REG FILE *****


Let's say requirements are:

Administrators:
Full Explorer Shell

all other users:
start 2 .Net executables at startup
Allow all programs in c:\programs files\companya to run
Allow all programs in c:\windows\system32 to run

By default, all users are allowed to run programs. Some important ways
that users are restricted are
1) they can't write into system folders, or program files folders
2) they can't install programs
3) They can't access other user's data under that exists under a
different
Docs and Settings\username branch


allow programmer to click desktop icon for webex like tool

since explorer is not running, you can't click on a desktop icon. You
can put a button into your application that will launch any app...

I am envisioning that I create a xpe image with installer components,
then install and configure base application installation,
then clone this standard image,
then put it on system and configure in the factory for specific site,
then at specific site do a bit more configuration.
Is this a reasonable senario ?

Yes

I am thinking Winows XPE is a good candidate
for the operating system because I can put only the compoents I need, and XPE
will be supported for a longer period of time than normal operating systems.
I am interfacing with embedded VxWorks system via TCP/IP and the applicaiton
is .Net.
I have an admin user that can do anything and a user that can run one or two
applicatons.

So any help would be appreciated.

Thanks, Eric




"Sean Liming (eMVP)" wrote:

Do you want the non-Admin users to have a different shell? i.e. different
shells for different users.

You could replace the non-Admins to have a different shell instead of
Explorer, and then set your custom Group Policy to exclude non-Admin from
accessing Explorer.exe

Just a thought.

Regards,

Sean Liming
www.sjjmicro.com / www.seanliming.com
XP Embedded Book Author - XP Embedded Advanced, XP Embedded Supplemental
Toolkit.


"ecoulson" <ecoulson@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:73269637-D204-40E6-98B0-611E283B23B2@xxxxxxxxxxxxxxxx
Hi all,

I have an Exploer based shell that I am limiting with group policies - at
least for those who are non-Administrators (limiting by deny read for
Administrators on GroupPolicy dir). I need to remove the Taskbar for
non-Administrators. I start up my applications at startup and can limit
the
capabilities of normal user with group policies and global keyboard hooks,
but I still see the taskbar. I can manully set it to hide and not be
front
window, but I was wondering if there is any other way to not see it on a
per
user group basis (or at least on a non-Administrator basis).

Thanks, Eric




.