I work for a public library and we have several computers set up for patrons to use. The computers already have a user account logged-in before the patrons come into the library. The account user names are "opac", "tukon", etc. These computers have Service Pack 3 on them and have a program that acts as an interface for the patrons, providing the computers with a controlled desktop so that patrons can only use certain programs. It is CybraryN, which is made by the company Computers by Design. Another program we were using to safeguard the computers was SecurePC, which is made by Citadel. This program protects the computer in a manner very similar to Windows 2000's group policy. I wanted to use group policy instead of securepc, so I configured the default group policy on our windows 2000 server to do a number of things, such as disable task manager and hide most of the options on the start menu. I made this policy apply just to opac and tukon, giving these accounts the "Read" and "Apply Group Policy" security settings for the default group policy. This is the only group policy that we have. When I logged-on as opac on one of the patron computers with SecurePC on it, however, I was still able to access task manager (I had disabled SecurePC so that I would know that any restrictions I encountered would be the result of the group policy and not SecurePC). I made sure that I had configured group policy correctly, restarted the computer, and task manager was still available. I suspected that SecurePC might still, somehow, be interfering with group policy, so I completely removed it from the computer. I even used a freewaretool called "regcleaner" to remove any remnant of it from the registry. Still able to access task manager. I then configured the local group policy to disable task manager and restarted the computer. It worked, and I was unable to access task manager. I then re-configured the local group policy to its original state ("Not Configured" for "Disable Task Manager"). I was still unable to access task manager. Also, the other group policy settings that I had configured on the server were in effect. This made me think that SecurePC was somehow interfering with any changes made to the computer's registry. Another reason I thought this is because the group policy settings were in effect on two other computers that I logged-on to as opac. These two computers did not have SecurePC or CybraryN on them. I then went to another patron computer, logged-in as tukon, and noticed that some of the group policy settings were already in effect, but not all of them. I was still able to access task manager, for instance, and I could still access the "Search" option in the Start menu. These computers had CybraryN installed on them, but not SecurePC (I am not going to remove CybraryN, since it performs many important functions). I went into the local group policy, enabled "Disable Task Manager", enabled "Remove Search menu from Start Menu", and restarted the computer. I was unable to access task manager but I could still access the Search menu on the Start menu. I reconfigured the local group policy to its original state and was still unable to access task manager but could still access the Search option on the Start menu. I looked in the registry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer and saw that the "NoFind" value was set at "1", meaning that the Search option on the Start Menu was supposed to be missing (from what I have read on the web at www.winguides.com/registry/display.php/149/)! What is going on here? Any help you can give me would be greatly appreciated!

Okay, too long of a post for me to read everything, but first thing... If you want something like that you need to use Loopback policies (it's an option in the policy). And don't forget to set an administrator account with the Deny privelege on that policy so they can log in and not be affected. Otherwise, the user account and the computer account BOTH have to be set to get those settings (it's WAY easier to use loopback). So poke around Microsoft's site for Loopback policies and I'm sure things will ease up for you. Oh, and also if you have any XP machines (can't remember if it works on W2K) look at the MMC Snap-In called Resultant Set of Policies...

Thanks for your help, Lucid! As I understand it, the loopback policy is used when you want to restrict a certain user on a certain computer. This is not my problem. These accounts are only used to restrict the abilities of library patrons and are not used by anyone else here. In fact, some of the group policies are working for these accounts, but some are not. The "Search" option on the Start menu, for instance, still appears for the Tukon account, even though group policy has successfully entered a registry entry that should hide it. However, the desktop icons are hidden while logged-in as "Tukon", so this aspect of group policy worked. This is why I am suspecting these other programs (CybraryN, etc.) of interfering with the changed (by group policy) registry settings.

As a follow-up to my last message, I think I have found out why some of the aspects of my group policy (I only have one) were not working, while others were. As I wrote before, I was able to access the "Search" option (which I should not have been able to due to group policy), while logged-in as "Tukon", while all of my desktop icons were hidden (as they should have been due to group policy). Group policy settings that apply to users apply themselves to the "HKEY Current User" portion of the computer's registry. It was configured there to hide the "Search" option. It then went to the similar location in the "HKEY Local Machine" portion and the setting there for the "Search" option was set to show it. It seems that the "HKEY Local Machine" setting was overriding the "HKEY Current User". Does this sound right?