PRGSEC12, Program Manager Security, Version 1.2 Copyright (c) 1995, Marvin E. Wilborne III Summary This program is designed to be used by a Systems or Network manager to control the amount of changes users of "public" PC's can make to Windows. This program allows you to remove programs and features from Program Manager and password protect them. If you've ever gone to a PC to fix the colors so that users can see what they're doing (they set the foreground and background colors to the same thing), or you've gone to PUT BACK and ICON they've deleted, then this program may be of interest to you. This program is also designed for the home user that has children who occasionally delete, by accident of course, programs and program groups. Installation Unzip PRGSEC12.ZIP into your \WINDOWS\SYSTEM directory. Don't replace any files in your \WINDOWS\SYSTEM directory that are NEWER than the files included in this .ZIP. Files included: VSVBX.VBX, VSVBX.LIC, CTL3D.DLL, MHRUN400.DLL, THREED.VBX and PROGSEC.EXE, FILE_ID.DIZ, README.TXT you'll also need VBRUN300.DLL (not included with this distribution) to run the program. Optionally, you can unzip this zip file into any directory that you create. You may want to copy the VSVBX.*, CTL3D.DLL, MHRUN400.DLL and THREED.VBX files to your \WINDOWS\SYSTEM directory. Use After installing the files, you should create an entry in one of your program manager groups by dragging the .EXE file from File Manager to the program group of your choice. You should see a "padlock" icon once the program is successfully placed. Run the program by clicking the icon and press or double click on the icon. The main screen allows you to set the windows options that are allowed or disallowed in the program manager: The "Run" group allows you to disable the option under the File menu of program manager that allows you to run programs. In a secure environment you would set this option to "NO" so that programs such as Control Panel or File Manager couldn't be run manually. The "File Menu" group allows you to turn on or off the entire "File" menu choice of program manager. This option prevents the user from using File Exit to exit Windows and disallows someone from rearranging the program manager and saving it by selecting File Exit while the left shift key is pressed. The "Close" group allows you to enable or disable the System Menu Close option so that doesn't work and Close don't work. The "Save Settings" group allows you to disable the Options menu item Save Settings on Exit. The "Edit Level" group allows you to set the levels of editting allowed in program manager. Normal = All normal functions such as deleting and creating icons, changing properties and rearranging groups are allowed. No Group = No group changes are allowed. Disables creating new entries in a group. No Icon = No icon changes are allowed. No Cmdline = disables command line changes to a program's properties. No Property = disables changes to any property of a program. (The most secure). After setting the options by clicking the Yes, No, or Option Level, to make the changes effective you need to press the Save button and then choose Restart Windows under the Tools Menu. Anytime changes are made to these 5 groups they DO NOT become effective until you restart Windows. These program manager restrictions are stored in the \WINDOWS\PROGMAN.INI file in the [restrictions] section. This file can be edited at the DOS prompt so the security isn't fool proof. If someone can get to DOS either at the time of boot up or from Windows they can bypass the security restrictions placed on Program Manager by directly editing the PROGMAN.INI file. To password protect the program so that when it is run you have to enter a password to get into it, choose New Password under the Edit menu. If you forget the password, you will need to remove the Password entry from the [Security] section of the \WINDOWS\PROGSEC.INI file. For the most secure Windows, you should remove the following programs from program manager groups: Control Panel - Why? Because people can get in here and add different printers or affect the settings for network based printers. They can change the Window colors, the desktop, the screen saver, and much more! File Manager - Why? Because you can launch just about any program you want. MS-DOS - Why? Because a DOS user could use Edit to change the PROGMAN.INI file settings or to delete the password from the PROGSEC.INI file. PIF Editor - Why? Because an experienced user may be able to find a DOS batch file that is started from a PIF and edit it to start up DOS programs of their choice. Sys Edit - Why? This simply allows the user to go in and make changes that could directly affect the operation of Windows. Reg Edit - Why? We don't need the user to put the "Package" object type in the Registration Database. Object Packager - Why? Object Packager gives you another way to start programs. Windows Setup - Why? Again, we don't need the user to change the configuration of Windows. Network Setup - Why? Here again, users are notorious for changing the network configuration, breaking their programs that use the network. Windows Setup - Why? Same as all of the above. You can also Exit Windows from Program Manager Security as long as you know the password to get into the program. Advanced Program Manager Security creates the file \WINDOWS\PROGSEC.INI and places the password in it (encrypted). You can also set up the User1 and User2 menu options to run programs that you use for configuring Windows, such as screen resolution changing program or even the Windows Setup utility. To use these options, create a [User] section in the \WINDOWS\PROGSEC.INI file and set User1=WINSETUP.EXE and User2=SETRES.EXE or to whatever your program names are. You can use a complete drive/path specification. All programs launched from the Tools menu can be user defined. To change the menu option, you can change the program but not the menu name, put a [Tools] section in the \WINDOWS\PROGSEC.INI file. You can then define the following programs: [Tools] FileManager=winfile.exe ; default windows file manager ControlPanel=control.exe ; default windows control panel DosPrompt=dosprmpt.pif ; default windows dos pif PIFEdit=pifedit.exe ; default windows pif editor SysEdit=sysedit.exe ; default windows system editor RegEdit=regedit.exe /v ; default windows registration database editor WinSetup=winsetup.exe ; default windows setup program NetSetup=winsetup.exe /z ; default windows network setup program More About Object Packager You should remove the "Package" type from the Registration Database using RegEdit. Why? Because a user could start up Write and then chose Insert Object, chose Package and this would start up the Object Packager. From Object Packager you can execute any program on the system. This is why the object packager should be removed from any program groups in program manager. Object packager is harder to use than file manager but is just as effective in starting programs as file manager. Limitations of Program Manager Security This version DOES NOT WRITE PROTECT any of the important Windows .INI files so that anyone could use Notepad or other editors to change settings in the files that affect what you can do. For example, they could edit SYSTEM.INI and replace the shell=progman.exe line with shell=winfile.exe and start up File Manager and execute any program from there. Even simpler, they could reenable all of the limitations of Program Manager by removing the [Restrictions] section of \WINDOWS\PROGMAN.INI. DOS allows several methods of stopping start up execution, including and , LEFT SHIFT while STARTING MS-DOS... is displayed and less elegantly the good old . Since this is possible, it is impossible for Program Manager Security to prevent a user from using Edit or any other DOS word processor to edit any of the important Windows .INI files. This program relies on a user's ignorance of how Windows operates to make it more secure than it is normally. This program IS NOT designed to prevent the experienced PC/Windows user or programmer from getting around the security limitations of Program Manager Security. Additionally, if there are programs that you would like to leave access to, you simply don't delete their icon from program manager. For example, you could remove the Windows Setup icon, restricting it's access to PROGSEC but you could leave the Network Setup icon. REGISTRATION Individual users who find this program useful can license it for their personal user for $15.00. Companies that would like to license and install this program on corporate PC's to lockout setup programs can register this program for an entire corporate site for $100.00. Any additional contributions, comments or suggestions are welcome. Please send registration fee, along with your name and address to: Marvin E. Wilborne III 900 Jamerson Circle, Apt 16 Danville, VA 24540 Registered users will receive both telephone, written and e-mail support.