Desktop restrictions can be implemented by editing the following Explorer values in the registry: (all values default to 0)
set it to 1 so that common program groups do not appear on the Start menu.
set it to 1 to hide all desktop icons.
The low order (right most) bit is drive A: while the 26th bit is Drive Z:
To hide a drive, turn on its' bit. These drives will still appear in File Manager. To remove File Manager, delete winfile.exe.
If your not happy working in Hex, add these decimal number to hide the drive(s):
A: 1, B: 2, C: 4, D: 8, E: 16, F: 32, G: 64, H: 128, I: 256, J: 512, K: 1024, L: 2048, M: 4096, N: 8192, O: 16384, P: 32768, Q: 65536, R: 131072, S: 262144, T: 524288, U: 1048576, V: 2097152, W: 4194304, X: 8388608, Y: 16777216, Z: 33554432, ALL: 67108863
If set to 1, the File menu in Explorer is removed.
set it to 1 to remove the Find command from the Start Menu.
A value of 1 removes the "Map Network Drive" and Disconnect Network Drive menu and right click options.
Set it to 1 to remove the Network Neighborhood icon and prevent network access from explorer (it will still work from a command prompt).
If set to 1, the Run command is removed from the Start menu.
Set it to 1 to hide Control Panel and Printers and My Computer in Explorer and on the Start Menu.
If set to 1, only Drag and Drop can be used to alter the Start Menu and Desktop. The Taskbar does not appear on the Start Menu.
If set to 1, menus do not display upon right click of the taskbar, start button, clock, or taskbar application icons. The entry is only available for NT 4.0 with SP 2 or greater.
If set to 1, menus do not display upon right click of the desktop or Explorer's results pane. The entry is only available for NT 4.0 with SP 2 or greater.
Set it to 1 and only programs that you define at:
can be run on the Workstation. See tip 362.
Set it to 1 to remove the ShutDown button from the Start Menu. This does not disable shutdown from CTRL+ALT+DEL. To totally disable a users ability to shutdown, remove the "advanced" right to "Shutdown the System" from Policies/User Rights of User Manager for Domains.
To really lock down the desktop, replace the Explorer or Progman shell with your own launcher. Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon and edit the Shell Value Name, replacing the current .exe (normally Explorer.exe) with YourOwnLauncher.exe. See "Restricting system features ..." on a subsequent Tips page.