none
Windows 7 Restricted User - Remove Right click on taskbar icons; Remove show desktop icon

    Question

  • Hi, I have a kiosk PC that is looking pretty good however I have two outstanding issues. 

     

    The users can still right click on applications on the taskbar and receive a context menu even though I've disabled the context menu in the group policy editor.

    User Configuration/Administrative Templates/Start Menu and Taskbar/Remove access to the context menus for the taskbar - Enabled

     

    And I can't figure out how to remove the "show desktop" icon in the systems notification tray.

     

    Thanks in advance for any help

    Megan Armstrong.

     

    Tuesday, May 03, 2011 2:10 AM

Answers

  • Hello Megan,

    Hope you're doing fine.

    Disabling context menu from application on the taskbar
    Please note the task bar context menu for any application for windows 7 is sub-divided into two sections :
       a. Jumplist(to access recently opened files) 
       b. Creating a new instance of the application, Pin/Unpin, Close window

    We can only disable the Jump List of the Taskbar context menu but not the "new instance creation, Pin/Unpin, close window"

    Please follow the steps below to disable jump list:
    1. Right-click on the Taskbar and then select Properties.
    2. Click on the Start Menu tab and uncheck "Store and display recently opened items in the Start menu and the taskbar".
    3. Click OK.


    Disabling Show Desktop from the system tray
    Regarding the requirement of disabling the "Show Desktop" button alltogether from the System tray, this is by design.
    There are no ways to remove it. All we can do is to disable aero peek at Taskbar properties by right clicking and uncheck the option "Use Aero Peek to preview the desktop".
    There's a third party software which addresses this sopecific purpose but I'm not pretty sure if this works perfectly for Windows 7 SP1 as well. Please refer to the link below.

    Ref : http://kishan-bagaria.deviantart.com/art/7-Show-Desktop-Button-Remover-163376704

     

    Thanks,
    Nabarun


    Regards,
    Nabarun Chakraborty | Support Engineer | Microsoft India GTSC
    • Edited by Nabarun Wednesday, May 04, 2011 12:28 PM
    • Marked as answer by MeganA Tuesday, May 10, 2011 4:18 AM
    Tuesday, May 03, 2011 10:48 PM
  • Hello Megan,

    It is not possible to complete remove the task bar it can only be hidden, but users could still be able to unhide it.
    For Kiosk systems it is always suggested to prevent explorer.exe from loading and we should start only the application and thus as explrer.exe would not load there would be no taskbar.
    Replacing explorer.exe with your custom application so that Windows will boot directly into the application and will not launch explorer at all.

    From GPO
    User Config > Administrative templates > System > Custom user interface > .. Please type the executable name of the Kiosk app here .. (full path)

    I was searching further and came across the below link which outlines the most needed lock down settings for kiosk systems. Almost all the settings could be achieved using GPO s.

    Regards,
    Nabarun Chakraborty | Support Engineer | Microsoft India GTSC
    • Marked as answer by MeganA Tuesday, May 10, 2011 4:18 AM
    Wednesday, May 04, 2011 3:37 AM

  • Hello Megan,

    Hope you're doing fine.

    As you said the application would be started only when the user comes at the Kiosk, could we have another application which would start the main Kiosk application.
    So the startup shell for the OS would be another application say app1, which will display a link/button to start the actual application, say app2.
    In this manner the Kiosk application would not run all the time and it will run/use the license only when the user clicks the button on App1 to start App2.

    We could also achieve the same using IEXPLORE.EXE as the shell for OS and display the link to start actual Kiosk application in the remote desktop profile of the user account.
    It becomes really easier if we are hosting the Kiosk application as a remote app on a remote desktop server (Terminal server that is).
    Users will get IE as their startup shell which would take them to the remote app home page listing all runable applications, say app1, app2, app3, app4 etc.
    The user can select whatever application he has to run and then when he leaves or doesnt use the computer for some time it will again show up the remote app home page.

    To ensure the application runs only one instance it has to be programmatically done inside the code of the application, OS can't control if multiple instances of the applcation would be allowed or not.


    Thanks,
    Nabarun

     


    Regards,
    Nabarun Chakraborty | Support Engineer | Microsoft India GTSC
    • Marked as answer by MeganA Tuesday, May 10, 2011 4:19 AM
    Wednesday, May 04, 2011 12:27 PM

All replies

  • Hello Megan,

    You seem to have 2 requirements :

    1. How to disable context menu on the applications as shown on the task bar
    2. How to disable the "Show Desktop" icon in the system notification tray

    >> To address the first issue, could you please let me know if the user could also get the taskbar context menu when he's not clicking on any application?
    I mean if the user clicks on empty space of the taskbar but not clicking on any open application, could he still see the taskbar properties?


    >> To address the second issue, the below registry modification should help :
    Start > Run > regedit
    Traverse to the location :[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    Right-click DisablePreviewDesktop to select Modify.
    Enter a value of 1 to disable Preview Desktop functionality.

  • Nabarun
  • Edited by Nabarun Wednesday, May 04, 2011 12:28 PM
Tuesday, May 03, 2011 7:41 PM
  • Hi Nabarun,

     

    Thanks for replying to my query

     

    >>1. How to disable context menu on the applications as shown on the task bar

    >>To address the first issue, could you please let me know if the user could also get the taskbar context menu when he's not clicking on any application? I mean if the user clicks on empty space of the taskbar but not clicking on any open application, could he still see the taskbar properties?

    No if they rt click in the empty space of the taskbar they have no menu or properties, similarly they can't right click on anything else either. Its only when they right click on an open application's icon on the taskbar. Then they get a short menu. And one of the menu items is to pin the application to the taskbar which we really can't have.

     

    >>2. How to disable the "Show Desktop" icon in the system notification tray

    >> To address the second issue, the below registry modification should help : Start > Run > regedit Traverse to the location :[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] Right-click DisablePreviewDesktop to select Modify. Enter a value of 1 to disable Preview Desktop functionality.

    No we aren't using Desktop Preview (Aero Peak) so that registry entry does not exist. It is only the standard show desktop icon that appears in the system notification tray next to the time and date.

     

    Thanks again for trying.

    Tuesday, May 03, 2011 9:17 PM
  • Hello Megan,

    Hope you're doing fine.

    Disabling context menu from application on the taskbar
    Please note the task bar context menu for any application for windows 7 is sub-divided into two sections :
       a. Jumplist(to access recently opened files) 
       b. Creating a new instance of the application, Pin/Unpin, Close window

    We can only disable the Jump List of the Taskbar context menu but not the "new instance creation, Pin/Unpin, close window"

    Please follow the steps below to disable jump list:
    1. Right-click on the Taskbar and then select Properties.
    2. Click on the Start Menu tab and uncheck "Store and display recently opened items in the Start menu and the taskbar".
    3. Click OK.


    Disabling Show Desktop from the system tray
    Regarding the requirement of disabling the "Show Desktop" button alltogether from the System tray, this is by design.
    There are no ways to remove it. All we can do is to disable aero peek at Taskbar properties by right clicking and uncheck the option "Use Aero Peek to preview the desktop".
    There's a third party software which addresses this sopecific purpose but I'm not pretty sure if this works perfectly for Windows 7 SP1 as well. Please refer to the link below.

    Ref : http://kishan-bagaria.deviantart.com/art/7-Show-Desktop-Button-Remover-163376704

     

    Thanks,
    Nabarun


    Regards,
    Nabarun Chakraborty | Support Engineer | Microsoft India GTSC
    • Edited by Nabarun Wednesday, May 04, 2011 12:28 PM
    • Marked as answer by MeganA Tuesday, May 10, 2011 4:18 AM
    Tuesday, May 03, 2011 10:48 PM
  • Thanks again Nabarun,

     

    1. ok if we can't disable the right click that causes a couple of new issues ...

    a/I can't allow pin to taskbar.  Its a kiosk PC used by people that are often not computer savvy.  If they pin it to the task bar it will allow them to start a second instance of the application.  This will cause licensing issues as the product has a pool of licences so theoretically they could grab the entire pool.  The PCs are touchscreens that are in remote locations.  So if we can't stop them pinning to the taskbar can I completely hide the taskbar? I haven't investigated this yet.
    b/From this I have a second problem.  I can't figure out how to completely remove the start menu so instead I've removed all items in the start menu.  If a user clicks on Start they get a blank list except for the user photo up the top right of the list.  I don't know how to get rid of this.  If they click on this icon they get an error saying the admin has disabled it.  However if they are clever enough (and some of them will be), while that error is displayed, they can right click on the program icon that appears in the task bar and launch windows explorer.  They can get to network drives from there and while I think I have it all locked down, that doesn't mean someone else might leave something open at a later stage. 

    2. Thanks for explaining the show desktop.  If they click on the button nothing happens anyway so it doesn't matter, I was just trying to be tidy.

     

    Kind regards

     

    Megan

     


    Wednesday, May 04, 2011 12:46 AM
  • Hello Megan,

    It is not possible to complete remove the task bar it can only be hidden, but users could still be able to unhide it.
    For Kiosk systems it is always suggested to prevent explorer.exe from loading and we should start only the application and thus as explrer.exe would not load there would be no taskbar.
    Replacing explorer.exe with your custom application so that Windows will boot directly into the application and will not launch explorer at all.

    From GPO
    User Config > Administrative templates > System > Custom user interface > .. Please type the executable name of the Kiosk app here .. (full path)

    I was searching further and came across the below link which outlines the most needed lock down settings for kiosk systems. Almost all the settings could be achieved using GPO s.

    Regards,
    Nabarun Chakraborty | Support Engineer | Microsoft India GTSC
    • Marked as answer by MeganA Tuesday, May 10, 2011 4:18 AM
    Wednesday, May 04, 2011 3:37 AM
  • Thanks Nabarun,

    We actually don't want the application to run unless the user is there ... i.e. he comes along and starts it, then when he leaves if he leaves it open he gets kicked out of the app after a period of inactivity so that he isn't wasting a licence.  Some of these PCs might only be used once a month - but then used intensely for a day or two.  If we use the app as the user interface, it would immediately use a licence.  The other issues is that there are two applications that need to run.

    Is there a way of ensuring only one instance of a program can be running?  That would overcome the licensing issue.  And then if they pin it, I can de-pin it through a group policy registry hack each time they log off to avoid confusion for the less computer savvy users.....

    Kind regards

     

    Megan

     

    Wednesday, May 04, 2011 3:58 AM

  • Hello Megan,

    Hope you're doing fine.

    As you said the application would be started only when the user comes at the Kiosk, could we have another application which would start the main Kiosk application.
    So the startup shell for the OS would be another application say app1, which will display a link/button to start the actual application, say app2.
    In this manner the Kiosk application would not run all the time and it will run/use the license only when the user clicks the button on App1 to start App2.

    We could also achieve the same using IEXPLORE.EXE as the shell for OS and display the link to start actual Kiosk application in the remote desktop profile of the user account.
    It becomes really easier if we are hosting the Kiosk application as a remote app on a remote desktop server (Terminal server that is).
    Users will get IE as their startup shell which would take them to the remote app home page listing all runable applications, say app1, app2, app3, app4 etc.
    The user can select whatever application he has to run and then when he leaves or doesnt use the computer for some time it will again show up the remote app home page.

    To ensure the application runs only one instance it has to be programmatically done inside the code of the application, OS can't control if multiple instances of the applcation would be allowed or not.


    Thanks,
    Nabarun

     


    Regards,
    Nabarun Chakraborty | Support Engineer | Microsoft India GTSC
    • Marked as answer by MeganA Tuesday, May 10, 2011 4:19 AM
    Wednesday, May 04, 2011 12:27 PM
  • Hello Megan,

    Hope you're doing fine.
    I was wondering if you have any further update on this issue.

    In case the issue is resolved please let us know.

    Thanks,
    Nabarun


    Regards,
    ____________________________________________________________
    Nabarun Chakraborty | Support Engineer | Microsoft India GTSC
    Sunday, May 08, 2011 10:38 PM
  • Hi Nabarun,

    Two really great suggestions thanks!!!  I only work 2 days a week (as I have a young family) so that's why I haven't got back to you sooner.  I'll play with the internet explorer option as that would be very easy for someone else to maintain if I ever left.  At this time terminal services is not an option for us but that is also a good suggestion and something that we have on our wish list already.

     

    I'll play today and let you know how I go.

     

    Thanks again.

    Megan

    Monday, May 09, 2011 11:27 PM
  • Hi again Nabarun,

     

    Turns out they have a few small apps written in vb 6.0 so I just knocked together a small app to launch the appropriate applications and log the user off when he's been idle. Beautiful.  Thanks for all your help.  Issue solved.

     

    Megan

    Tuesday, May 10, 2011 4:18 AM