When creating your settings, you can choose from three options: a selected check box, an empty check box, and a shaded check box. A selected check box means that the noted action will take place. For example, a selected Disable Registry editing tools check box disables the Registry editing tools. Thus, users can't use those tools. An empty check box means that the noted action will not take place. For example, an empty Disable Registry editing tools check box will not disable Registry editing tools. Therefore, users can use those tools. A shaded check box means the action that was previously decided will take place. For example, if you select the Disable Registry editing tools check box in the Default User settings and then shade the Disable Registry editing tools check box in the settings for an individual user, the individual user will not be able to use the Registry editing tools.
After you have created your system policies file for the Default User, you need to add an administrative account for each person who will support the system and its users. When you add an administrative account, the OS uses the Default User settings that you just created as the template. Thus, you need to change the settings to give the administrative account the authority to access those items inaccessible to default users. Simply put, you need to turn the selected check boxes into empty check boxes by clicking each box. (Do not double-click because double-clicking will shade the box.)
After you create the administrative account policy, you can create account policies for individual users or groups. If you want to simplify administrative matters as much as possible, let the Default User settings apply to these policies.
Default Computer Policies
Rather than creating policies based on the user, you can create policies based on the computer. However, I don't recommend creating Default Computer policies for a remote user because this policy resides on only one computer--the computer the remote user is using.
You create the Default Computer policy file the same way you create a Default User policy file. The Default Computer setting applies to all computers unless you create a policy for a specific computer. The name of the policy must match the computer name on the Identification tab of the Network dialog box.
Many Options Open
You are not limited to the policy templates that come with their respective OSs. Many other templates (all have .adm extensions) are available. For example, if your company uses Microsoft Office, you can incorporate the template on the Office Resource Kit CD (95 or 97) to restrict operations in that product. Templates are also available for Microsoft's Internet Explorer (IE) and Novell's NetWare Client 32. Microsoft's Zero Administration Kit (ZAK) is a big set of templates that lets you turn a user's computer into an expensive dumb terminal.
No matter the source of the policy templates, system policies are an important tool for users who work not only within the confines of a company's buildings but also outside those confines. Administrators can use locally placed system policies to make sure that unauthorized remote users don't tamper with the Registry and other vital OS areas.