Novell Home

Security in the Schools, Part 2

Novell Cool Solutions: Trench

Digg This - Slashdot This

Posted: 10 May 2000
 

Hiding the My Documents Directory (Win 98)

One of our most popular hot topics is how to secure computer labs in schools. The original Security in the Schools article, which is a work in progress we add to as we get new solutions from people, has spawned this one, focused on keeping the Win 98 My Documents folder from providing a back door to all the directories you'd rather keep hidden.

Oddly enough, in addition to the school and university system administrators (who we expected to have an interest in this subject), this topic attracts a high number of hospital and prison administrators as well. So if you are seeking ways to curb computer abuse in school, in surgery, or in the slammer, this one's for you.

Original Question

Nadr wrote: I'm running NetWare 5 and ZENworks 2.0 in a school enviroment! Students being what they are, I have set user policies so they see nothing on their desktops except for the applications I allow through ZEN.

All this works great except one directory, 'My Documents,' is still visible on the Start menu in Win98. Any ideas how I can hide this folder using ZEN? I set user policies to hide drive c: but they can still see all directories by going through the Documents folder.

Scott Hart's Idea

How to disable the Start menu's Documents list feature entirely.

Important: Make sure you backup your Registry files--User.dat and System.dat--before making any changes to the Registry!

  1. First, open the Registry Editor:
  2. Select Start, Run.
  3. Type regedit and click OK.
  4. Next, navigate your way to HKEY_CURRENT_USER\Software\Microsoft\ Windows\ CurrentVersion\Policies\Explorer.
  5. In the right pane, right-mouse-click a blank area, select New, then select Binary Value.
  6. Type NoRecentDocsHistory (to name the new value), then press Enter.
  7. Right-click the new value and select Modify.
  8. In the Value data box, type exactly

    01 00 00 00
    (You'll see four zeros there already. Just type the above eight numbers, and the spaces will be inserted automatically.)
  9. Click OK.
  10. Now repeat these steps to add a NoRecentDocsMenu value:
    1. Right-click a blank area in the right pane.
    2. Select New, Binary Value.
    3. Name the value NoRecentDocsMenu
    4. Right-click the new value and select Modify.
    5. In the Value data box, type the above numbers;
    6. Click OK.
  11. Close the Registry Editor.
  12. Restart Windows 98.
  13. Click Start.

That Documents list is nowhere in sight (and neither is the Windows\Recent folder that used to hold the contents of the Documents menu)!

If you have any questions you may contact Scott at golfersc_1999@yahoo.com

Shane Allen's Idea

Shane sent the same solution as Scott, and added a handy collection of regkeys he uses to make Win98 look like Win95.

I've been playing with Win98 for some time now and just last week I was working on this very same problem. Basically ZEN does a good job at locking most of the Desktop down, but with Win98 there are a few things that are left open. "My Documents," "Windows Update," "Active Desktop," "Folder Options," and the like.

After a long search of the Net I have discovered a few really good sites that have cool Registry tips that can be deployed via ZEN to take care of those pesky Win98 enhancements that students don't really need to be using.

Now all that being said, here is the Regedit for the "Documents Menu".

  1. Regedit > HKCU > Software > Microsoft > Windows > CurrentVersion > Policies > Explorer
  2. In the right hand pane, create a new BINARY value with the name: NoRecentDocsHistory.
  3. Edit 00,00,00,00 to read 01,00,00,00.
  4. Also locate or create the "NoRecentDocsMenu" and edit 00,00,00,00 to read 01,00,00,00.
  5. Save your changes, close regedit and restart.

Here in this zip file is a PDF of all the Win98 regkeys I have used to make Win98 desktop look like Win95.

I run the LAN for a large state prison in Arizona and my desktop and user polices are quite famous for being a bit "extreme" but my telephone is really quiet most days, so they are doing their job. Enjoy, keep up the good work, Cool Solutions is one of the best sites Novell offers. It's only second to http://www.dilbert.com/ !!!

If you have any questions you may contact Shane at shaneallen@usa.com.

Aaron Le Saux's Idea

In regards to the question about getting rid of My Documents, this is a possible workaround.

If you right click my documents on the desktop, and choose properties you are able to redirect the 'My Documents' location. Perhaps you could redirect My Documents to the student's home directory, and push out that registry key via ZEN to all applicable workstations.

If you have any questions you may contact Aaron at lesaux@myrealbox.com

Patrick Duggan's Idea

Hiding the "My Documents" folder in Windows 98 - Easy Solution!!!

Create a ZEN object for TWEAK UI (included on the Windows 98 CDROM under Admin Utilities, PowerToys). TweakUI is an excellent GUI for registry modifications.

Start snAppShot, install TWEAKUI, select the "Don't show My Documents" on the IE4 tab, click Apply and finish the snAppShot.

Voila - no more "My Documents."

Tom Tucker's Idea

In regards to disabling My Documents on the Start menu, you can add new policy sections using the user extensible policies. You will need a Windows 98 CD to do this.

  1. Look in the tools\reskit\netadmin\poledit directory for the file called shellm.adm
  2. Copy this file to your server (I put this file in the system directory).
  3. Start up NWADMIN32 and go to your policy.
  4. Check User Extensible Policies.
  5. Click on Details.

This is where you can add the shellm.adm file and use its policies. You can do more than with just the standard set of policies. Also, there are other .adm files on the Win98 CD that you can use as well, for different circumstances.

If you have any questions you may contact Tom at TTucker@ccsok.com

Tim Hughes' Idea

I had the same problem but if you install Tweak UI of of the original Windows 98 CD in the Reskit dir then you can choose to remove the my documents folder from the start menu. I would also say that if you install TweakUI and then do a snAppShot and then remove the My Document folder you would then find out the change that needs to happen without having to install Tweak UI on all systems.

Steve Rose's Idea

You can probably use "Custom Start Menus" (I haven't tried them yet), or you can use this registry hack I discovered.

Find the registry key:
HKLM\Software\Microsoft\ CurrentVersion\Explorer\Desktop\ Namespace\ {450d8fba-ad25-11d0-98a8-0800361b1103}

Its default value is "My Documents." If you delete this key it will remove "My Documents" from the Start Menu as well as the desktop. Note: In the Office suite (O2K at least probably earlier also) if you select "My documents," nothing will show up there, but you are still able to use the "Up folder" button to navigate up your directory tree.

You can probably create a "force run" application object that will delete this key.

If you have any questions you may contact Steve at rose@gw.kckps.k12.ks.us

Eric Lancup

By using Tweak UI, which is found on the Win98 CD, you can remove the My documents folder from the Start Menu. Removing My Documents causes a registry change under HKey_Current_User. If you go into regedit and export the following value:

HKCU,Software,Microsoft, Windows,Current Version, Policies,Explorer

you can import them into an application object to be pushed onto the clients.

I have removed the Logoff option, Favorites, and My Documents from the Start Menu. To create the application object select create a simple application. Import the registry value in the registry settings tab. The value should read...
No_RecentDocsMenu = 01 00 00 00.

Under the Identification tab select Install only, associate it to the appropriate group and check off force run. When the students log in the registry hack will be distributed.

I havn't encountered any problems using this hack. When the hack is distributed the change is not effective until the workstation is rebooted.

If you have any questions you may contact Eric at lancupe@nouvelon.edu.on.ca

David Stagg's Idea

In response to the request about how to disable the "My Documents", I redirect it rather than disable it. There is a registry setting that points the My Documents link to the folder of the same name on the C: drive. Rather than let students write information to the C: drive I want them to write their data to their Home directory, which we map as drive H:.

Rather than muck about with regedit, in this case I use the TweakUI tool from Microsoft. Select the "My Documents" entry then browse to "H:\" which replaces the "C:\My Documents". After that any application that makes reference to the "My Documents" link is redirected to the student's (and the staff user's) own home drive.

If you do not wish to use TweakUI, you can do a search in Regedit for "C:\My Documents" and replace it with "H:\" or whatever network drive letter and path you wish.

I also use TweakUI to enforce the Paranoia options and remove all history of applications and documents accessed by the previous user.

If you have any questions you may contact David at staggd@fsd38.ab.ca

-t's Idea

In response to the question about preventing students from accessing the C: drive via My Documents on the Start Menu I may have found an answer albeit not a perfect solution.

First, the My Documents icon must be on the desktop. If it has been deleted (took me a while to figure this out), right-click an empty area of the desktop and select Place icon for My Documents icon on the Desktop (or something like that). Then what you do is change the properties of that icon. We have set it up to go to H:\My Documents. That sets the system setting to use the My Documents folder on the H: drive as the system's default doc folder.

Go to the C: drive in Explorer and you can now safely delete the My Documents folder. If the H: drive is missing the My Documents folder, I have seen Windows recreate C:\My Documents and change that back to the default doc folder. To try to prevent this, I created an empty text file and called it My Documents. Well, then Windows decided to make C:\Windows the default document folder so I didn't really save myself anything. But at least now you know what happens.

Regardless of that flaw, if the H: drive is properly mapped to a directory which has a R/W folder called "My Documents", the problem is resolved (circumvented?). It's not a fix, but I hope it helps...

Rich Stevenson's Idea

Create an .ADM file as follows in notepad:

CLASS USER
CATEGORY !!StartMenu
KEYNAME
Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer
POLICY !!StartMenu
PART !!NoRecentDocsMenu CHECKBOX
VALUENAME NoRecentDocsMenu
END PART
END POLICY
END CATEGORY
;;End StartMenu
[strings]
StartMenu="Start Menu"
NoRecentDocsMenu="Remove Documents menu from Start Menu"

and use it as an extensible policy. This will turn off the Documents folder in the Start Menu.

If you have any questions you may contact Rich at Stevenrp@middough.com


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell