Applies To:
  • NT Workstation 4.0

How do I prevent an operator from getting to the desktop and making changes to the operating system or running unapproved software? A solution was to change the shell from explorer to Citect by modifying the registry. This locks out the user from the desktop as well as from the short-cut keys, such as CTRL-ESC. The problem with having Citect as the shell is that it requires manipulation of the registry every time you want to get back to the desktop and more importantly the system is out of service if Citect can not come up into run time.  

The policy editor can be used to restrict users or a group of users, i.e., operators, from accessing such items as the control panel, the "Find" or "Run" selections under the "Start" menu, access to the desktop, etc. Essentially, everything can be disabled except for the application that you want to run, i.e., citect32.exe and its peripheral executables if any.


  1. Purchase the Microsoft Windows NT Workstation Resource Kit (~$50.00).
  2. Logged in with administrator privileges, from the CD, copy the poledit.exe, poledit.hlp, poledit.cnt files from the \apps\clients\i386 directory to the \winnt directory (installing the resource kit does not install these files).
  3. From the CD, copy the common.adm, windows.adm, winnt.adm files from the \apps\clients\i386 directory to the \winnt\inf directory. If the \winnt\inf directory is not seen, be sure to enable "View all files" under the View-Options menu in Explorer.
  4. Right mouse click on the c:\winnt\system32\repl\imports\scripts directory, select the sharing tab and select the "Shared As" radio button. Change the share name to "Netlogon" (without the quotes). Select the Permissions button and change the access of "Everyone" from "Full Control" to "Read" and add the Administrators group with an access of "Full Control".
  5. From the User Manager, create a user that will be a member of the user group, i.e., operator.
  6. Run the Policy Editor and create a new policy. From the edit menu add a new user and browse to select the user created in step 5 (operator).
  7. Double click on the "Default Computer" icon and open the Network branch and the branch below it, System policies update. Place a check mark in the Remote Update box and select "Automatic" for an update mode, located at the bottom of the window.
  8. Double click on the "Operator" icon to open up its policy restrictions. Start disabling access for this operator by checking off the following items:
  • Shell - Restrictions - (put a check mark in all the boxes)
  • System - Restrictions - Disable Registry editing tools
  • Windows NT Shell - Custom Folders - Hide Start menu subfolders
  • Windows NT Shell - Restrictions - Remove common program groups from Start menu
  • Save the policy file as NTConfig.pol to the \ winnt\system32\repl\imports\scripts directory
  1. If a new user was added, logout as administrator and login as the new user so that NT can create the profile directory for the new user. Re-login as an administrator to continue.
  2. Since the operator does not need to run any programs except for Citect, delete all the files and folders, except the Startup folder, under the "Programs" directory for that user. That is, delete what is below the c:\winnt\profiles\operator\start menu\programs directory, (assuming the user name was operator).
  3. To prevent the operator from accessing the Task Manager via a Ctrl-Alt-Delete you can either delete the program, Taskmgr, located in \winnt\system32 or restrict its access to a higher group/user.
  4. Place a shortcut for the Citect32.exe file in the user's startup directory (c:\winnt\profiles\operator\start menu\programs\startup) for it to run automatically once the user logs in, or install Citect as a service (see knowledge base Q1865) so that users can log in and out without having to stop Citect.
  5. Re-login as the operator and you will not have any access except for the Citect run time program.

Note: The policy editor can be setup so that a user can run only one program by checking the box under System\Restrictions\'Run only allowed Windows applications'. The problem with using this is trying to find all the programs that are needed for Citect and Windows NT to run for that particular user.