As you well know, almost anything about a Windows computer can be manipulated through a combination of the Control Panel and the Settings menu in the newer operating systems. Allowing users to have access to these utilities is a security risk, because they typically have no valid reason for accessing and changing these kinds of settings. Let's find out whether there is a quick way to completely disable access to both the Control Panel, as well as Settings for your domain-joined PCs:
User Configuration | Policies | Administrative Templates | Control Panel | Prohibit access to Control Panel and PC settings
Look at that! There is a single user configuration setting that looks like it is going to take care of disabling access to both of those management interfaces on the client computers. After setting Prohibit access to Control Panel and PC settings to Enabled, I log into my laptop and am able to verify those denials. When I try to open the Settings window, it simply refuses to open. Nothing at all happens. When I try to force my way inside Control Panel, I receive the following error:
But I'm an IT guy, right? Don't you think I could find some way of circumnavigating this setting, even though my account only has regular user permissions? Nope, not that I could figure out how to do! Even if I try to open some individual setting that typically launches just a part or piece of the Control Panel or Settings, I am still denied. For example, trying to open directly into Network & Internet Settings no longer does anything, just like when I try to open Settings. And if I try to do something such as right-click on the desktop and go into my Personalization settings, I get a big error message:
This may not be the friendliest of error messages, if I were a regular user I would have no idea why I couldn't get into these settings. I would probably think that something was broken on my computer. But it does block me nonetheless, so I'm going to call it a GPO win!