The reason that happens is that you are not in a Domain environment. That is, your users do not log in under the system Windows server environments use called
Active Directory--as you are but one machine, the changes apply
globally as you likely noticed (there's only one policy, not like under AD where several OUs, or
Organizational Units exist).
To get such a high degree of control, you would need to be using Windows 2000 Server or Advanced Server, or Windows Server 2003 with the Active Directory service online. From there, you can control settings at a per-user level.
As far as the desktop settings, most of those are profile based, if I recall.
Further, if you want to make it so that your brother can't use regedit... we will assume his account name is
Jim:
- Open up Explorer, and navigate to \WINDOWS.
- You will see two files here--regedit.exe and regedt32.exe. The following applies to both.
- Right-click, hit Properties.
- Go to the Security tab, and you should see some users/groups shown. Remove the Users setting and Jim if it is set.
- Now, set Users with Full Deny.
Naming of those things might not be exact, but you should be able to find your way around. If you do not have that much information under the Security tab, or lack that tab at all, you may be out of luck as far as this method goes.
Finally, were you asking how to RECOVER from this, or not? Can't tell.
Jam it back in, in the dark.
85242
35212
Duminas