You might use an administrator account on your PC, but don’t trust other people with that kind of access.
Whether you want to keep an eye on your children’s computer usage or need to simplify a computer for a loved one, blocking off parts of Windows is useful. Even if you’re locking your PC when you’re not using it, other user accounts could be a problem.
Let’s take a look at different ways to lock down every aspect of Windows.
Use Standard Accounts and UAC
The simplest way to restrict an account’s permissions is setting it as a standard account. These limited accounts can run software and change settings that don’t affect other users, but don’t have total control. For instance, a standard account can’t install software, modify internet connection settings, or change the time.
To change an account’s permissions, visit Settings and click Accounts. On the Family & other people tab, find their name under Other people, then hit the Change account type button. This lets you change administrators to standard users. To create a new account, click Add someone else to this PC and select Standard User when asked for the type.
User Account Control (UAC) lets you control how much standard accounts can do. Type UAC into the Start Menu and choose Change User Account Control settings. You can choose between four levels of notification. The default setting notifies admins when apps try to make changes, but not when they change Windows settings. Always Notify is more secure but as annoying as Windows Vista. You shouldn’t turn off UAC or everything can run as an admin without asking.
Create a Child Account
Standard accounts are great for people who have some basic computer knowledge that you don’t want screwing around with your settings. But they don’t account for the unique challenge of keeping kids safe when using a computer. For that, you should try Microsoft’s Child Account feature in Windows 10.
Head back to Settings > Accounts > Family & other people, but this time click Add a family member under Your family. Choose Add a child and enter their email address. If they don’t have one yet, click The person I want to add doesn’t have an email address. You can create a new email address for them @outlook.com, or use your own address. We recommend making a new Microsoft account to keep everything separate.
Note that if your child already has an email address and you add them to your PC, they’ll receive an invite in their email instead. They must accept this before logging onto your computer, or the child protection measures won’t take effect.
Windows will ask you for your phone number as a backup for the child account. You can use this to get back into the account if they forget the password. Next, Windows will present you with two checkboxes asking if Microsoft Advertising can use their account info and send them promo offers. These settings are annoying for adults, let alone children, so it makes sense to disable them.
Family Setting Options
That’s all it takes to create a child account. Now, you should log into the Microsoft Family Management page online to configure safety options. You’ll find several helpful controls here:
- Recent Activity lets you see what your child does on your PC. Turn on Activity reporting and you’ll get a weekly report in your email about their goings-on. You can also block private browsing so your kids can’t surf the web without leaving a trace. They’ll have to use Edge or Internet Explorer (IE) for this to work, though.
- Web browsing lets you Block inappropriate websites in Edge or IE, though it doesn’t list what these sites are. This also enforces SafeSearch in major search engines. Underneath this, you can add sites to Always allow these or Always block these to create a whitelist and blacklist. Check Only see websites on the allowed list to restrict their internet browsing to a specific list of sites.
- Apps, games & media can Block inappropriate apps and games. You can also choose an age level to limit media content. For example, if you choose 10 year olds, this will limit the child to TV-PG shows, games rated Everyone 10+, and music without a Parental Advisory label. Blocked apps & games lets you turn off programs. You should disable other web browsers here so Edge’s filtering takes effect.
- Screen time lets you limit how much your child uses the computer each day. You can set a Daily allowance of anywhere from 30 minutes to 12 hours, along with limits based on the time of day. So if you want to allow two hours of time on Fridays but only allow use from 7 AM to 10 PM, you can set that up here on a per-day basis.
- Purchase & spending lets you change settings on the Windows Store (even though you probably never use it). Using your credit card, you can add money to the child’s account so they can buy games without taking your card. Below, you can limit them to downloading only free items, or nothing at all from the Windows Store. You’ll also receive a notification by default when they download something.
- Find your child lets you track your child’s device. This only works on Windows 10 Mobile phones, though, so it’s likely useless for most people.
Utilize Group Policy Tweaks
Group Policy is a tool in Pro editions of Windows that lets you control all sorts of account aspects. It’s intended for corporate use, but it can make lots of awesome tweaks for home use, too. The required tool isn’t officially available in Home versions of Windows, but you can use a workaround to install the Group Policy Editor to get it on those editions.
To access the Group Policy editor, press WinKey + R to open the Run dialogue and type in gpedit.msc. Double-click on any item to change its status from Not Configured to Enabled or Disabled. Check out some of these tweaks to lock down Windows:
- Computer Configuration > Administrative Templates > Windows Components > Windows Installer and enable Turn off Windows Installer to prevent anyone from installing software.
- User Configuration > Administrative Templates > Control Panel, then use Hide specified Control Panel items to remove some entries, Show only specified Control Panel items to create a restricted list, or Prohibit access to Control Panel and PC settings to remove them entirely.
- User Configuration > Administrative Templates > System contains Prevent access to the command prompt and Prevent access to registry editing tools so savvy users can’t use them as workarounds. Also, Don’t run / Run only specified Windows applications lets you control what software the user can run.
- User Configuration > Administrative Templates > System > Ctrl + Alt + Del Options lets you remove the user’s ability to change their password, open the Task Manager, log off, or lock the PC.
Looking for a guide to group policy settings to lock down pc to stop kids from deleting files etc, and to let them play chosen games
— Andrew Morrison, ? (@AndyMorrison42) February 10, 2017
- User Configuration > Administrative Templates > Windows Components > File Explorer can Prevent access to drives from My Computer if you don’t want an account poking around in the file system.
- Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy holds several options that let you restrict passwords. Set Maximum password age to force users to change their passwords, and Minimum password length so people can’t use short passwords. Password must meet complexity requirements forces passwords to contain at least six characters and contain a mix of letters, numbers, and symbols.
The Group Policy Editor supports many more tweaks, but the ones listed above let you lock down major Windows features.
Try the FrontFace Lockdown Tool
This app locks down a PC that’s acting as a kiosk. Since it collects common lockdown options all in one place, you can still use it to secure your own PC. Download the tool and you can run it without installing anything.
The Welcome tab on the left lets you pick from two preset profiles: Digital Signage Player PC and Interactive Kiosk Terminal. They contain settings so you can leave a computer out on a table for the public and not worry about people messing with it. If you’d rather customize these settings on your own, check the Startup & Shutdown, Continuous Operation, and Protection & Security tabs on the left.
You can set a program to automatically start when an account logs on, shut down the PC at a given time, disable access to the Task Manager, and even hide System Tray icons. Some of these changes will affect the entire machine, while others apply to only one user account. FrontFace provides a great way to beef up a restricted profile, especially if you don’t want to track down all the settings individually.
How Do You Lock Down Your PC?
These options let you restrict your computer to pretty much any level you’d like. Whether you want to keep inexperienced users from installing software or want to keep your kids safe, you can do it with these tools. Most other locking software costs a fair bit and doesn’t offer anything most users need that you can’t get with the above methods. For a nuclear option try a Deep Freeze, which resets your PC to a standard image every time you reboot.
For more, check out everything you should know about managing user accounts.
What are your favorite tools for blocking off Windows features? Let us know what you restrict on your computer by leaving a comment!
Image Credits: Rawpixel.com/Shutterstock