Linden, I am using customised Policy templates - I started with std templates and modified them to suit our requirements. The one containing the setting for disabling command prompt is a modification of the std winnt.adm - the actual key that the .pol file sets appears to be the same one you are setting (HKCU\Software\Policies\Microsoft\Windows\System\DisableCMD) though my template says the value for disabling access is 1 not 2 as shown in the section from the adm file shown below POLICY "Disable the command prompt" KEYNAME "Software\Policies\Microsoft\Windows\System" PART "Disable the command prompt script processing also?" DROPDOWNLIST NOSORT VALUENAME "DisableCMD" ITEMLIST NAME "Yes" VALUE NUMERIC 1 NAME "No" VALUE NUMERIC 2 DEFAULT END ITEMLIST END PART END POLICY Looking at the above it appears that it referring disabling the command prompt script for processing - to confuse things everyone seems to be set to 2 yet it does work (except for the issues that were raised yesterday with NT4 CMD.EXE and both NT4 and w2k versions of command.com). Users who are not permitted to run CMD.EXE can't and users who are permitted can. Been quite a while (about two years) since I set these adm files up - I will do some "playing" with my test server when I get a chance to see If I can recall how I got this to work properly. -Ec -----Original Message----- From: Seitz, Linden [mailto:L.Seitz@xxxxxxx] Sent: Thursday, 26 February 2004 3:35 a.m. To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Re: Darn Command Prompt - was Re: Restrict Drive Acces s Yes interesting. I also disabled general users ability to run a command prompt on our system (my servers are W2K+SP3 MFXPe+FR3 on NT4 Domain) using the allInOne_v099.adm system policy template file from thethin.net. I also copied cmd.exe from the same 2000 server and put it in the user home, double clicked on it from Explorer and it opened. What Poledit template are you using? -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Euan Cooper Sent: Tuesday, February 24, 2004 2:26 PM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Re: Darn Command Prompt - was Re: Restrict Drive Access Interesting .... I disabled general users ability to run a command prompt on our system (W2K+SP3 MFXPa+FR2 on NT4 Domain) via a system policy. Just tested putting cmd.exe in test user's home dir and tried to run it from explorer - still get "Command Prompt has been disabled by your administrator". Will have a look through the adm file when I get a change to see what key it is setting. -Ec -----Original Message----- From: Seitz, Linden [mailto:L.Seitz@xxxxxxx] Sent: Wednesday, 25 February 2004 8:33 a.m. To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Darn Command Prompt - was Re: Restrict Drive Access I have the following registry key (HKCU\Software\Policies\Microsoft\Windows\System\DisableCMD = 2) set to "try" to disable a user's ability to open and run the command prompt. The scenario I can't get past is if a user places a copy of cmd.exe in their personal directory and run it from a Citrix session. The command prompt runs and the user is able to circumvent my Hide Drives and Prevent Drive Access settings. Is there any way to avoid this from happening other than using Appsec or other add-ons? -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Jeff Durbin Sent: Tuesday, February 24, 2004 12:27 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Restrict Drive Access Have used it at virtually every client that had Citrix or Terminal Services. It does prevent access to drives, which can be a problem for your app. I've never seen a major problem as a result of using it. JD > -----Original Message----- > From: thin-bounce@xxxxxxxxxxxxx > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Seitz, Linden > Sent: Wednesday, 25 February 2004 3:53 a.m. > To: Thin@Freelists. Org (E-mail) > Subject: [THIN] Restrict Drive Access > > Anyone using the "Prevent access to drives in My Computer" in > security policy or .adm files in addition to hiding the > drives? I would like to know if this setting "could" cause > any file access problems if I enable it on my OS and > Application partitions. Thanks! > ******************************************************** > This weeks sponsor triCerat Inc. > triCerat makes your job easier by offering essential > applications to eliminate your printing, policy and profile, > and your application management problems. > http://www.triCerat.com > ********************************************************** > Useful Thin Client Computing Links are available at: > http://thin.net/links.cfm > *********************************************************** > For Archives, to Unsubscribe, Subscribe or set Digest or > Vacation mode use the below link: > http://thin.net/citrixlist.cfm > ******************************************************** This weeks sponsor triCerat Inc. triCerat makes your job easier by offering essential applications to eliminate your printing, policy and profile, and your application management problems. http://www.triCerat.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This weeks sponsor triCerat Inc. triCerat makes your job easier by offering essential applications to eliminate your printing, policy and profile, and your application management problems. http://www.triCerat.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This weeks sponsor triCerat Inc. triCerat makes your job easier by offering essential applications to eliminate your printing, policy and profile, and your application management problems. http://www.triCerat.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This weeks sponsor triCerat Inc. triCerat makes your job easier by offering essential applications to eliminate your printing, policy and profile, and your application management problems. http://www.triCerat.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This weeks sponsor triCerat Inc. triCerat makes your job easier by offering essential applications to eliminate your printing, policy and profile, and your application management problems. http://www.triCerat.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm