In this question I figured out how to disable the Lock feature in Windows XP throught the registry. Just by creating a DWORD key named DisableLockWorkstation with value 1 in:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
But in this solution, the current user can also re-enable this feature in the same way (by setting the value of DisableLockWorkstation to 0 or even deleting it).
I know there is ACLs for registry and it is possible to restrict the user access and deny write access to this path. But I am searching for a simpler solution.
Is there any other solution to disable lock feature (for example by setting a value in HKLM instead of HKCU hive)?
If the user has "Administrator" rights then there's nothing you can do to prevent them from making any changes they want to the computer.
Assuming you're doing the Right Thing(tm) and your user accounts are all limited users, setting this value (hopefully using the Group Policy setting "Remove Lock Computer" from User Configuration / Administrative Templates / System / Ctrl-Alt-Del Options) will do fine.
By default, inheritance is blocked and an ACL placed in the user's registry at "HKCR\Software\Microsoft\Windows\CurrentVersion\Policies" to grant the user "Read" access only to that subtree. Microsoft already though of what you're thinking about and prepared for me... >smile<