Registry Keys That Are Important for Policy

[This is preliminary documentation and subject to change.]

Developers should make sure that their applications check various registry keys if the applications expose any functionality controlled by settings of certain registry keys.

If a registry key is applicable to functionality that an application exposes, the application should take the following steps:

Check the registry at startup for the settings of the relevant key.
At startup, remove from the user interface access to functionality that the registry key indicates should be disabled.
Immediately before exposing the functionality, check the registry again, and fail gracefully if the functionality has been disabled since startup.

When spawning another process, an application does not have to check that the new process is permitted as long as it uses ShellExecute to spawn the application in question rather than CreateProcess. If ShellExecute is used, the shell checks that the executable being spawned is allowed.

The following keys are particularly important for implementation of system policies in enterprise environments:

HKEY_CURRENT_USER\
  Software\
    Microsoft\
      Windows\
        CurrentVersion\
          Policies\
            System\

`DisableRegistryTools`	Disable registry editing tools.
`DisableTaskMgr`	Disable Task Manager.
`NoDispAppearancePage`	Hide Control Panel Appearance tab.
`NoDispBackgroundPage`	Hide Control Panel Background tab.
`NoDispCPL`	Do not display Control Panel.
`NoDispScrSavPage`	Hide Control Panel Screen Saver tab.
`NoDispSettingsPage`	Hide Control Panel Settings tab.

HKEY_CURRENT_USER\
  Software\
    Microsoft\
      Windows\
        CurrentVersion\
          Policies\
            Explorer\

`EnforceShellExtensionSecurity`	Run only certain shell extensions.
`LinkResolveIgnoreLinkInfo`	Disable link file tracking.
`NoClose`	Disable the Shut Down option on the Start menu.
`NoCommonGroups`	Do not display common groups in Start menu, Programs.
`NoDesktop`	Hide all items on the desktop.
`NoDrives`	Remove the drive icons in My Computer.
`NoEntireNetwork`	Do not display the entire network in Network Neighborhood.
`NoFileMenu`	Remove the File menu from the Windows® Explorer toolbar.
`NoFind`	Remove the Find command from the Start menu.
`NoNetConnectDisconnect`	Remove the Map Network Drive and Disconnect Network Drive buttons and menu options.
`NoNetHood`	Remove the Network Neighborhood icon from the desktop.
`NoRun`	Remove the Run command from the Start menu.
`NoSaveSettings`	Do not save settings on exit.
`NoSetFolders`	Remove Control Panel and Printer folders from the Start, Settings menu.
`NoSetTaskbar`	Remove the Taskbar from the Start, Settings menu.
`NoStartMenuSubFolders`	Hide all Start menu subfolders.
`NoTrayContextMenu`	Disable context menus on the taskbar.
`NoViewContextMenu`	Disable the Explorer default context menu.
`NoWorkgroupContents`	Do not display workgroup contents in Network Neighborhood.
`RestrictRun \[Index Numbers]`	Run only those Windows applications listed in the numbered keys under RestrictRun.

HKEY_LOCAL_MACHINE\
  Software\
    Microsoft\
      Windows\
        CurrentVersion\
          Run\

[Application Name]

List of applications user may run when logging on interactively.