Novell Home

Replacing Windows Explorer shell with NAL (for XP and Win 9.x)

Novell Cool Solutions: Trench
By Matt Colwell

Digg This - Slashdot This

Posted: 13 Feb 2004
 

Updated on 13 Feb 2004

Update: After this article was originally published, I received a number of emails asking if it can be done in Windows 9X. See the Win 9.x section for the instructions.

In a school lab environment we don't want the students "playing" with the "features" of Windows. We want a way to lock them out of everything except the handful of applications that apply to their work/assignments.

Windows XP

SOLUTION: Register lab workstations and create workstation group(s). Add registered workstations to group(s).

Create application objects for the apps you want users to run, and associate the app objects by workstation group. Make sure you've got your application launcher config set to "Read groups for applications (Workstation)" to "YES". You can accomplish the same thing with user groups, but in our environment, applications are lab-specific so workstation groups make sense for us.

Create 2 .REG files. The key that will be changed is
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
One will replace the explorer.exe key in the registry with NAL. The other will replace NAL with Windows Explorer. This will ensure that an administrator can re-enable Explorer as the shell with minimal headaches. You may also want to create an app object for explorer.exe and associate it with your administative logins so you can launch it via NAL.

The result is a workstation with NAL as its shell. Students will find it harder to hack into the registry, mess with screen savers, play solitare, etc.

We use this along with Dynamic Local Users and ZFD4 imaging to manage our computer labs, and it all works great.

Examples of .REG Files

NALLOCK.REG <- Sets Workstation to use NAL for Shell
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="NALWIN32.exe"

DEFSHELL.REG <-Sets Workstation back to explorer shell
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="explorer.exe"

Windows 9.x

After this article was originally published, I received a number of emails asking if it can be done in Windows 9X. Here's how you do it.

SOLUTION: This tip assumes that you're using ZfD 4X. This tip can be modified to work with ZfD 3X components, but the information applies directly to ZfD 4X.

Register lab workstations and create workstation group(s). Add registered workstations to group(s).

Create application objects for the apps you want users to run, and associate the app objects by workstation group. Make sure you've got your application launcher config set to "Read groups for applications (Workstation)" to "YES". You can accomplish the same thing with user groups, but in our environment, applications are lab-specific so workstation groups make sense for us.

Modify the c:\windows\system.ini file. Replace the Shell=explorer.exe line with SHELL=c:\progra~1\novell\zenworks\nalwin32.exe

The result is a workstation with NAL as its shell. Students will find it harder to hack into the registry, mess with screen savers, play solitaire, etc.

EXAMPLE: Make this change to the c:\windows\system.ini file

Replace the line:
SHELL=EXPLORER.EXE

With:
SHELL=c:\progra~1\novell\zenworks\nalwin32.exe

If you have any questions you may contact Matt at matt.colwell@sduhsd.net

Other Ideas

JD wrote: Thanks Matt. In addition to the steps you are suggesting, we edit the registry to disable Task Manager when a student hits CTRL\ALT\DELETE. That way, they can't run a new task and run explorer.exe.

User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
Name: DisableTaskMgr
Type: REG_DWORD (DWORD Value)
Value: (0 = default, 1 = disable Task Manager)


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell