Your explanation of how to disable Windows Messenger ("Disabling Windows Messenger on XP Workstations," November 2002, http://www.secadministrator.com, InstantDoc ID 26772) was useful, but our situation is different. Some of our users occasionally need Windows Messenger. Can we disable Windows Messenger for everyone but let trusted users start it on demand?

For users who should never use Windows Messenger, you can select Do not allow Windows Messenger to be run, as I explained in "Disabling Windows Messenger on XP Workstations." For users who occasionally need Windows Messenger, you can instead enable Do not automatically start Windows Messenger initially. This setting protects occasional users from exposure to Windows Messenger risks except when they actually need to use the program. To find both policies, run gpedit.msc and go to Computer Configuration, Administrative Templates, Windows Components, Windows Messenger.

You'll also find these Windows Messenger policies under User Configuration, Administrative Templates, Windows Components, Windows Messenger. Thus, you can set a Windows Messenger policy according to who is logged on (User Configuration) or which computer the user is logged on to (Computer Configuration). If you configure a policy in both places, the setting in Computer Configuration takes precedence. If you want to use Group Policy Objects (GPOs) in Active Directory (AD) to centrally control either of these policies for Windows XP workstations, first make sure you've upgraded the administrative templates in your GPOs with XP's new settings, as I explained in "Disabling Windows Messenger on XP Workstations."