How to Lock Down Windows User Accounts
Use Standard Accounts and UAC
The simplest way to restrict an account’s permissions is to make it a standard account. These limited accounts can run software and change settings that don’t affect other users, but they don’t have total control.
For instance, a standard account can’t install software, modify internet connection settings, or change the system time.
To change an account’s permissions, visit Settings > Accounts.
On the Family & other users tab, click an account name under Other users, then hit the Change account type button. This lets you choose between Administrator and Standard User.
Utilize Group Policy Tweaks
Group Policy is a tool in Pro editions of Windows that lets you control all sorts of account aspects. To access the Group Policy editor, press Win + R to open the Run dialog and type in gpedit.msc. Then you’ll need to navigate to the item you want to change; double-click to change its status from Not Configured to Enabled or Disabled. Check out some of these tweaks to lock down Windows: The required tool isn’t officially available in Home
Computer Configuration > Administrative Templates > Windows Components > Windows Installer and enable Turn off Windows Installer to prevent anyone from installing software.
User Configuration > Administrative Templates > Control Panel, then use Hide specified Control Panel items to remove some entries, Show only specified Control Panel items to create a restricted list, or Prohibit access to Control Panel and PC settings to remove them entirely.
User Configuration > Administrative Templates > System contains Prevent access to the command prompt and Prevent access to registry editing tools so savvy users can’t use them as workarounds. Also, Don’t run / Run only specified Windows applications lets you control what software the user can run.
User Configuration > Administrative Templates > System > Ctrl + Alt + Del Options lets you remove the user’s ability to change their password, open the Task Manager, log off, or lock the PC.
User Configuration > Administrative Templates > Windows Components > File Explorer can Prevent access to drives from My Computer if you don’t want an account poking around in the file system.
Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy holds several options that let you restrict passwords. Set Maximum password age to force users to change their passwords, and Minimum password length so people can’t use short passwords. Password must meet complexity requirements forces passwords to contain at least six characters and contain a mix of letters, numbers, and symbols.
The Group Policy Editor supports many more tweaks, but the ones listed above let you lock down major Windows features.
Try Lockdown Software Tools
If none of the above did the job for you, you might need to turn to software that locks down your Windows PC further.
FrontFace Lockdown
This app is meant to lock down a PC that’s acting as a kiosk. Since it collects common lockdown options all in one place, you can still use it to secure your own PC.
The Welcome tab on the left lets you pick from two preset profiles: Digital Signage Player PC and Interactive Kiosk Terminal. They contain settings so you can leave a computer out on a table for the public and not worry about people messing with it.
If you’d rather customize these settings on your own, check the Startup & Shutdown, Continuous Operation, and Protection & Security tabs on the left.
You can set a program to automatically start when an account logs on, shut down the PC at a given time, disable access to the Task Manager, and even hide System Tray icons. Some of these changes will affect the entire machine, while others apply to only one user account.
FrontFace provides a great way to beef up a restricted profile, especially if you don’t want to track down all the settings individually.
Install-Block
This tool lets you require a password to run apps that you specify. You can also choose keywords (like “install” and “setup”), then the app will auto-detect any windows that use those words and block them. It also lets you easily block certain Windows features, just like the Group Policy editor.
The app offers a free trial with a generic password, preventing it from offering any actual security. The full version is $19.95 if you decide it’s worth buying.