how to remove taskbar ?

[Guest]

Hi all,

I have an Exploer based shell that I am limiting with group policies - at
least for those who are non-Administrators (limiting by deny read for
Administrators on GroupPolicy dir). I need to remove the Taskbar for
non-Administrators. I start up my applications at startup and can limit the
capabilities of normal user with group policies and global keyboard hooks,
but I still see the taskbar. I can manully set it to hide and not be front
window, but I was wondering if there is any other way to not see it on a per
user group basis (or at least on a non-Administrator basis).

Thanks, Eric

Thanks, Eric

Thanks, Eric

 

[Sean Liming \(eMVP\)]

Do you want the non-Admin users to have a different shell? i.e. different
shells for different users.

You could replace the non-Admins to have a different shell instead of
Explorer, and then set your custom Group Policy to exclude non-Admin from
accessing Explorer.exe

Just a thought.

Regards,

Sean Liming
www.sjjmicro.com / www.seanliming.com
XP Embedded Book Author - XP Embedded Advanced, XP Embedded Supplemental
Toolkit.

 

[Guest]

Hi Sean,

Are you referring to your article on changing 3 keys in the registry. I
browsed that article and I am not sure if I understand it. I didn't have
some of the keys it mentioned such as "shell". Am I supposed to create them
if they are not there ? Or are you suggesting creating the custom shell as
part of the XPE image, but them I don't under stand how to implement it per
user - or per non-admin user ?

How does the local GroupPolicy and software restrictions relate to a non
explorer based shell ? Do I need them ? I think the tricky part is I need
one behavior for admins and one for users. This complicates things.

Let's say requirements are:

Administrators:
Full Explorer Shell

all other users:
start 2 .Net executables at startup
Allow all programs in c:\programs files\companya to run
Allow all programs in c:\windows\system32 to run
allow programmer to click desktop icon for webex like tool

I am envisioning that I create a xpe image with installer components,
then install and configure base application installation,
then clone this standard image,
then put it on system and configure in the factory for specific site,
then at specific site do a bit more configuration.

Is this a reasonable senario ? I am thinking Winows XPE is a good candidate
for the operating system because I can put only the compoents I need, and XPE
will be supported for a longer period of time than normal operating systems.
I am interfacing with embedded VxWorks system via TCP/IP and the applicaiton
is .Net.
I have an admin user that can do anything and a user that can run one or two
applicatons.

So any help would be appreciated.

Thanks, Eric

 

[steves]

ecoulson,

I haven't done the multiple user shells in a while, but your scenarios
seem reasonable.

Basically the point of making users have a different shell is that ONLY
your shell application runs, replacing internet explorer. This
completely gets rid of the taskbar, and basically disables desktop
interactions. This provides the most secure environment possible.
(Also look into disabling the Task Manager).

We ended up not using this idea because some IDE components used in our
system apparently require explorer to be running. (File browser windows
maybe?). I didn't have time to fully explore or understand this. Be
sure to test your application fully when logged in as a limited user.
You can easily get surprised if you never login as the limited user.

Hi Sean,

Are you referring to your article on changing 3 keys in the registry. I
browsed that article and I am not sure if I understand it. I didn't have
some of the keys it mentioned such as "shell". Am I supposed to create them
if they are not there ?

As far as creating the 'shell' key if it doesn't exist, yes that is
what you have to do.

Or are you suggesting creating the custom shell as

part of the XPE image, but them I don't under stand how to implement it per
user - or per non-admin user ?

It is important to understand the differences between HKCU
(HKEY_CURRENT_USER) and HKLM (HKEY_LOCAL_MACHINE) branches of the
registry. The former settings applies only to the current user, and
the latter applies to all users. Implementing the per-user shells
requires a change to HKLM to enable it, and then a change for Every
user to configure that.
If users are going to be created dynamically by the customers, then you
also need a mechanism that will invoke those changes automatically on
newly created users, perhaps a login script, or changes to the
HKEY_USERS\.DEFAULT branch of the registry.

How does the local GroupPolicy and software restrictions relate to a non
explorer based shell ? Do I need them ? I think the tricky part is I need
one behavior for admins and one for users. This complicates things.

That's a good question! I would guess that any policies that are
implemented under keys such as
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer will
not apply, since explorer is not running.

However, I do remember that we had successfully implemented a separate
shell, including the disabled task manager (below) it is not under an
Explorer branch of the registry.

The following .reg file will disable task manager:

**** BEGIN REG FILE *****
;Disable_Task_Mgr.Reg
;
;Requirements: Needs ADMIN logon.
;
; Prevents 'Ctrl-Alt-Delete' from bringing up task manager,
; thereby completely locking down the sytem. The combination of
; setting the I3system user shell to a custom app and disabling
TaskMan
; prevents a user from starting explorer, or any other tasks.
;
; After this key is set the only way to get out of the I3SYstem user
; is to logoff, and then logon as administrator. Use the 'Enable_
; TaskMgr.reg' file to remove this restriction.
;
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000001
**** END REG FILE *****

Let's say requirements are:

Administrators:
Full Explorer Shell

all other users:
start 2 .Net executables at startup
Allow all programs in c:\programs files\companya to run
Allow all programs in c:\windows\system32 to run

By default, all users are allowed to run programs. Some important ways
that users are restricted are
1) they can't write into system folders, or program files folders
2) they can't install programs
3) They can't access other user's data under that exists under a
different
Docs and Settings\username branch

allow programmer to click desktop icon for webex like tool

since explorer is not running, you can't click on a desktop icon. You
can put a button into your application that will launch any app...

I am envisioning that I create a xpe image with installer components,
then install and configure base application installation,
then clone this standard image,
then put it on system and configure in the factory for specific site,
then at specific site do a bit more configuration.
Is this a reasonable senario ?

Yes

I am thinking Winows XPE is a good candidate

 

[Guest]

steves,

Thanks for sharing your experience. I re-read Sean Liming's "Different
Shells for Different Users" and this actually is easy to implement and it
appears that I don't have to mess around with Group Policy which will be
nice. I just started up c:\windows\system32\cmd.exe as an example and the
system seems to behave as I would want. I don't think I need the Global
Keyboard lockdown hooks. The problems at first glance it that there is no
easy way to return the kiosk user to an Explorer shell, although I guess I
could start a batch file that asks this quesion. I am wondering if there is
a way to start more than one application if you want. I tried to put an
extra application in group policy for startup but it did not start. Does
group policy apply to this limited shell ?

Thanks, Eric

ecoulson,

I haven't done the multiple user shells in a while, but your scenarios
seem reasonable.

Basically the point of making users have a different shell is that ONLY
your shell application runs, replacing internet explorer. This
completely gets rid of the taskbar, and basically disables desktop
interactions. This provides the most secure environment possible.
(Also look into disabling the Task Manager).

We ended up not using this idea because some IDE components used in our
system apparently require explorer to be running. (File browser windows
maybe?). I didn't have time to fully explore or understand this. Be
sure to test your application fully when logged in as a limited user.
You can easily get surprised if you never login as the limited user.

Hi Sean,

Are you referring to your article on changing 3 keys in the registry. I
browsed that article and I am not sure if I understand it. I didn't have
some of the keys it mentioned such as "shell". Am I supposed to create them
if they are not there ?

As far as creating the 'shell' key if it doesn't exist, yes that is
what you have to do.

Or are you suggesting creating the custom shell as

part of the XPE image, but them I don't under stand how to implement it per
user - or per non-admin user ?

It is important to understand the differences between HKCU
(HKEY_CURRENT_USER) and HKLM (HKEY_LOCAL_MACHINE) branches of the
registry. The former settings applies only to the current user, and
the latter applies to all users. Implementing the per-user shells
requires a change to HKLM to enable it, and then a change for Every
user to configure that.
If users are going to be created dynamically by the customers, then you
also need a mechanism that will invoke those changes automatically on
newly created users, perhaps a login script, or changes to the
HKEY_USERS\.DEFAULT branch of the registry.

How does the local GroupPolicy and software restrictions relate to a non
explorer based shell ? Do I need them ? I think the tricky part is I need
one behavior for admins and one for users. This complicates things.

That's a good question! I would guess that any policies that are
implemented under keys such as
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer will
not apply, since explorer is not running.

However, I do remember that we had successfully implemented a separate
shell, including the disabled task manager (below) it is not under an
Explorer branch of the registry.

The following .reg file will disable task manager:

**** BEGIN REG FILE *****
;Disable_Task_Mgr.Reg
;
;Requirements: Needs ADMIN logon.
;
; Prevents 'Ctrl-Alt-Delete' from bringing up task manager,
; thereby completely locking down the sytem. The combination of
; setting the I3system user shell to a custom app and disabling
TaskMan
; prevents a user from starting explorer, or any other tasks.
;
; After this key is set the only way to get out of the I3SYstem user
; is to logoff, and then logon as administrator. Use the 'Enable_
; TaskMgr.reg' file to remove this restriction.
;
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000001
**** END REG FILE *****

Let's say requirements are:

Administrators:
Full Explorer Shell

all other users:
start 2 .Net executables at startup
Allow all programs in c:\programs files\companya to run
Allow all programs in c:\windows\system32 to run

By default, all users are allowed to run programs. Some important ways
that users are restricted are
1) they can't write into system folders, or program files folders
2) they can't install programs
3) They can't access other user's data under that exists under a
different
Docs and Settings\username branch

allow programmer to click desktop icon for webex like tool

since explorer is not running, you can't click on a desktop icon. You
can put a button into your application that will launch any app...

I am envisioning that I create a xpe image with installer components,
then install and configure base application installation,
then clone this standard image,
then put it on system and configure in the factory for specific site,
then at specific site do a bit more configuration.
Is this a reasonable senario ?

Yes

I am thinking Winows XPE is a good candidate

for the operating system because I can put only the compoents I need, and XPE
will be supported for a longer period of time than normal operating systems.
I am interfacing with embedded VxWorks system via TCP/IP and the applicaiton
is .Net.
I have an admin user that can do anything and a user that can run one or two
applicatons.

So any help would be appreciated.

Thanks, Eric

 

[steves]

The problems at first glance it that there is no
easy way to return the kiosk user to an Explorer shell, although I guess I
could start a batch file that asks this quesion.

The normal procedure to return to the explorer shell would be to log
off the limited user and then log back on as the administrator.

I am wondering if there is a way to start more than one application if you want.

You can use a button or a 'secret' keystroke combination in combination
with a Windows API call to launch any process you want...

I tried to put an extra application in group policy for startup but it did not start. Does
group policy apply to this limited shell ?

As I said before, it will depend on where in the Registry the policy is
stored, if it is stored under a key named 'explorer' it probably won't
apply. To determine which key is related to a specific policy you can
examine the .adm files in the windows folder, or use SysInternals
Regmon tool to monitor registry changes while applying policies. Or,
search the web (Kelly's Korner is a good website for this kind of
stuff).

SteveS
stevesATeyeDASHimagingDOTcom

ecoulson wrote:

 

[Guest]

The normal procedure to return to the explorer shell would be to log
off the limited user and then log back on as the administrator.

I am thinking in development phase I want to be able to switch the normal
user from applicaiton shell to explorer. Say the application is not behaving
properly as the kiosk user. I want to switch to Explorer shell so I can copy
applications files with debug information - I may do this more than once. I
don't want to have to go to admin, copy files then restart the kiosk shell.
I want to be able to debug the users group user in explorer shell. Then when
I fix the problem I want to put it back to the applicatoins shell. It's not
that much of a problem, I can alway create another explorer shell user in the
users group.

You can use a button or a 'secret' keystroke combination in combination
with a Windows API call to launch any process you want...

I can put a batch file as the shell and start the applicatons I want.

As I said before, it will depend on where in the Registry the policy is
stored, if it is stored under a key named 'explorer' it probably won't
apply. To determine which key is related to a specific policy you can
examine the .adm files in the windows folder, or use SysInternals
Regmon tool to monitor registry changes while applying policies. Or,
search the web (Kelly's Korner is a good website for this kind of
stuff).

Yeah, I see your point. I'll have to investigate this. Actually the only
local group policy it looks like I need is to disable Task Manager from
CTL-ALT-DEL. You can normally do this with group policy and the application
shell still allows you to get into the task manager - which I want to
disallow.

Thanks, Eric