首先,在“开始—>运行.”中输入”gpedit.msc”后,便打开了如下图1所示:
我们就是利用“防止从‘我的电脑”访问驱动器“来设置禁止usb接口。双击打开启用后,发现并不像我们想象的那样驱动盘符都存在,如图2所示:
经过一段时间的摸索,我找到了控制组策略的模板文件,它就是$Systemroot$/System32/GroupPolicy/Adm/system.adm(GroupPolicy文件夹是隐藏的),用笔记本打开后,截图如图3:
打开后代码很多:我们用查找的方法很快找到
1、 在查找处输入:NAME!!
2、 在查找处输入:仅限
在“NAME!!×Only VALUENUMERIC ×”语句,前面的好似一个定义,跟我们在图2看到的效果相似,而且有这么句“low 26 bits on(1bit per drive)”,意思说“26位每一个设备占1位”。每个分区是按着1、2、4、8、16、32、等逐步递增,于是经过试验,果然如此,只要将除了硬盘分区保留外,我们将所有的字母写上,同时算出数值。
即将:
NAME!! EFGHIONLY VALUE NUMERIC 496
(注:我这里只是举了5个盘符,为什么?后面说明)
将上面的语句在“!!NoDrives_Help”和“!!NoViewOnDrive”两个地方上填写。并且在图4所示的位置,也要加入一行:
EFGHIONLY=“限制驱动器E、F、G、H、I”。
否则,在你重新打开gpedit时会出错误信息。当所有工作做完后,保存该文档,打开组策略,看看效果:
图5所示:
呵呵,是吧?在下拉菜单中出现了我们设置的驱动器号了。
选中它后点击确定。拿优盘试一下,果然,出现了图6的警告提示:
此时,也许你会问通过这样一改,注册表发生了什么变化吗?运行“regedit”,在[HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Policies/Explorer]下的“NoViewOnDrive”键值赋予了十六进制“1f0”,换算成十进制是多少?呵呵,不要告诉我,你不会么!
(注:由此,我们得到了用注册表来封闭优盘的方法)
虽然,优盘被封住了,但是通过计算机管理中的磁盘管理,更改优盘的盘符,找个26个字母的后某一位。结果优盘有复活了。这就是为什么前面提到要多算几个盘符的数值的原因。
到这里,其实封闭工作也做的的差不多了。假设还不放心,如果用户打开组策略,更改设置怎么办?那我们通过运行注册表,打开:[HKEY_CURRENT_USER/Software/Policies/Microsoft/MMC/{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}]下的“Restrict_Run”的键值,改为“1”。当有的用户想运行组策略时,就出现了如下图7提示:
嗯,这下,不通过注册表,administrator也休想打开了。 ------------------------------------------------------------------------------------------------
下面是禁用和隐藏U盘光驱的具体代码,只要粘贴在写字板,然后另存为.adm文件,在组策略里面添加,就可以直接用了。
CLASS USER
CATEGORY !!RestrictHiddenDrivers
CATEGORY !!WindowsExplorer
#if version >= 4
EXPLAIN !!WindowsExplorer_Help
#endif
KEYNAME "Software/Microsoft/Windows/CurrentVersion/Policies/Explorer"
POLICY !!NoDrives
#if version >= 4
SUPPORTED !!SUPPORTED_Win2k
#endif
EXPLAIN !!NoDrives_Help
PART !!NoDrivesDropdown DROPDOWNLIST NOSORT REQUIRED
VALUENAME "NoDrives"
ITEMLIST
NAME !!ABOnly VALUE NUMERIC 3
NAME !!COnly VALUE NUMERIC 4
NAME !!DOnly VALUE NUMERIC 8
NAME !!ABConly VALUE NUMERIC 7
NAME !!ABCDOnly VALUE NUMERIC 15
NAME !!DEFGHIONLY VALUE NUMERIC 504
NAME !!ALLDrives VALUE NUMERIC 67108863 DEFAULT
; low 26 bits on (1 bit per drive)
NAME !!RestNoDrives VALUE NUMERIC 0
END ITEMLIST
END PART
END POLICY
POLICY !!NoViewOnDrive
#if version >= 4
SUPPORTED !!SUPPORTED_Win2k
#endif
EXPLAIN !!NoViewOnDrive_Help
PART !!NoDrivesDropdown DROPDOWNLIST NOSORT REQUIRED
VALUENAME "NoViewOnDrive"
ITEMLIST
NAME !!ABOnly VALUE NUMERIC 3
NAME !!COnly VALUE NUMERIC 4
NAME !!DOnly VALUE NUMERIC 8
NAME !!ABConly VALUE NUMERIC 7
NAME !!ABCDOnly VALUE NUMERIC 15
NAME !!DEFGHIONLY VALUE NUMERIC 504
NAME !!ALLDrives VALUE NUMERIC 67108863 DEFAULT
; low 26 bits on (1 bit per drive)
NAME !!RestNoDrives VALUE NUMERIC 0
END ITEMLIST
END PART
END POLICY
END CATEGORY ;; Windows Explorer
END CATEGORY ;; Test For Drivers
[strings]
RestrictHiddenDrivers="Restrict or Hidden Drivers"
WindowsExplorer="Windows Explorer"
WindowsExplorer_Help="Manages configuration of Windows Update."
NoDrives="Hide these specified drives in My Computer"
SUPPORTED_Win2k="At least Microsoft Windows 2000"
NoDrives_Help="Removes the icons representing selected hard drives from My Computer and Windows Explorer. Also, the drive letters representing the selected drives do not appear in the standard Open dialog box./n/nTo use this setting, select a drive or combination of drives in the drop-down list. To display all drives, disable this setting or select the "Do not restrict drives" option in the drop-down list./n/nNote: This setting removes the drive icons. Users can still gain access to drive contents by using other methods, such as by typing the path to a directory on the drive in the Map Network Drive dialog box, in the Run dialog box, or in a command window./n/nAlso, this setting does not prevent users from using programs to access these drives or their contents. And, it does not prevent users from using the Disk Management snap-in to view and change drive characteristics./n/nAlso, see the "Prevent access to drives from My Computer" setting./n/nNote: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting."
ABOnly="Restrict A and B drives only"
COnly="Restrict C drive only"
DOnly="Restrict D drive only"
ABConly="Restrict A, B and C drives only"
ABCDOnly="Restrict A, B, C and D drives only"
DEFGHIONLY=“Restrict D、E、F、G、H、I”
ALLDrives="Restrict all drives"
RestNoDrives="Do not restrict drives"
NoViewOnDrive="Prevent access to drives from My Computer"
NoViewOnDrive_Help="Prevents users from using My Computer to gain access to the content of selected drives./n/nIf you enable this setting, users can browse the directory structure of the selected drives in My Computer or Windows Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives./n/nTo use this setting, select a drive or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the "Do not restrict drives" option from the drop-down list./n/nNote: The icons representing the specified drives still appear in My Computer, but if users double-click the icons, a message appears explaining that a setting prevents the action./n/n Also, this setting does not prevent users from using programs to access local and network drives. And, it does not prevent them from using the Disk Management snap-in to view and change drive characteristics./n/nAlso, see the "Hide these specified drives in My Computer" setting."
NoDrivesDropdown="Pick one of the following combinations"