*Edit 9-3-08*

Ok, the guide is up...

It's wiki style, so if you see anything that is a mistake, or a typo - just fix it, or let me know and I can update it.  I tried to make it so anyone (experienced or not) could follow along and do this.

Just a few quick things... this assumes:

• you have Vista Ultimate, it can't be done on Premium (if there is a way to do it please let me know & update the guide, but as far as I know you can't do it using this method). 
• Vista is already installed

It might seem kind of long, I was just trying to be thorough - and there are lots of screen shots.  Please follow the directions carefully (unless you know what you're doing). 

This is a new wiki style site - please feel free to add your own guides for anything Media Center related to this site.

http://www.mediacenterguides.com/shell_replacement

Link was updated to reflect new Media Center Guides site.

*end edit*

I have put together a group policy with the goal of making a Media Center machine as appliance like as possible.  I'm pretty sure group policies can only be used with Vista Ultimate.  I did this for a computer that is used by a lot of different people so I was trying to lock it down as much as possible while keeping Media Center fully functional.

How it works on my setup: I have a normal admin account on the computer, and made another account (as a standard user) called "Media Center".  I then used "control userpasswords2" to set the computer to automattically log in to the "Media Center" account. 

Summary of settings used:

• Replaces the standard shell ("explorer.exe") with "ehshell.exe"
• Disables all windows shortcuts (Windows Key + Btn)
• Disables access to control panel
• Disables taskbar notifications
• Disables autorun installations
• Disables screensaver during playback
• Disables active desktop
• Disables desktop icons
• Disables task manager
• Doesn't save settings on reboot
• Sets screen saver to 2 hours (you can change this if needed)
• Disables changing wallpaper
• Limits Recycle Bin to 2% of HD
• Other various security/stability enhancements (I don't remember them all)

I have been using this setup on one of my computers for about a week now and have been pretty happy with it so far.  It was my first time really diving into group policies, so it's probably not perfect yet.  I welcome any suggestions.

*back up anything important first - just in case*

*Edit 5-2-07* Well, like I said, this was my first time diving into the group policy - apparently you can't transfer a .msc file from one computer to another properly (at least for group policies).  Sorry.  I am not sure how to properly do templates for this, so I have been working on a step by step guide of how to implement this.  It will be posted soon.

Sweet solution!!!  I wish I was running Ultimate and not Premier.  This is exactly what would complete my rig.

 

That's a good idea.  I would do that if it wasn't just me and my girlfriend in the house.  For now, I like being able to close the VMC window and immediately access anything I may need.

Very good idea.  Mix this with concurrent sessions hack for regular PC admin tasks and this can be very useful for many.

Did you replace explorer.exe for the specific admin account, or system wide?

Chris - Moderator:

Did you replace explorer.exe for the specific admin account, or system wide?

Just for the specific user account (it's a standard account, not an admin).  So you are able to log off and then log on as the "Config" account (that's what I named the admin account) and do normal updates/installs - but I have this password protected.

Anyone know of a way to port this to Premier, even though there are no local security policies on this version of the OS?

 

ghostlobster:

Anyone know of a way to port this to Premier, even though there are no local security policies on this version of the OS?

 

Wondering too if this can go over to Vista home premium, as I didn't go for ultimate for my HTPC box, as I only wanted Media Center...

ghostlobster:

Anyone know of a way to port this to Premier, even though there are no local security policies on this version of the OS?

 

Most GPO policies just make updates to the registry.  You could probably do this by editing the HKCU hive for the user you want to have the limited access.  Though the easiest way would be to anytime upgrade to Ultimate.

Is there any way you could write up a quick tutorial on how to set this up?  I'm new to Group Policy creation and have no idea where to insert the .msc file, etc.  I've managed to convert the .xml file but now I'm wondering what to do with it.:)

You know, this sounds awesome, though I'd prefer a few things before I actually did used this.

The necessary thing in my opinion would be an add-in for MC that would let you browse the Vista Games Explorer without leaving the interface, so that you could launch any game, play it, and then return back to the MC menu.

The other not as important thing would be an internet browser plugin for Vista/ MCML for when people want to look things up quickly:  I'd prefer not to have to log out  or turn on my Wii for 480p browsing when the PC can do it at 1080p.

Colonel Taylor:

Is there any way you could write up a quick tutorial on how to set this up?  I'm new to Group Policy creation and have no idea where to insert the .msc file, etc.  I've managed to convert the .xml file but now I'm wondering what to do with it.:)

I'll write up some instructions in the next couple of days... I am redoing one of my computers, so I'll try and do it step-by-step, but it will be a few days to a week before I finish it.

*Edit*

jhoff81, well I'm not sure about the games, but for the browser you could try MCEBrowser.  Check it out here: http://www.anpark.com/Software.aspx

Thanks Ryan, I look forward to the write up.  I tried to right click the .mcl file and run it it author mode but the console told me I didn't have permission to run or sufficient rights, etc. 

When I couldn't get it to run I tried to modify the registry to replace the standard shell with ehshell.exe.  I was successful, but too successful...it modified both accounts with the "Current User" registry edit and I wasn't able to boot into my config account.  So I was up all night performing a clean install to get back to where I am now.  I think I'll wait for your instructions before I make anymore changes like this.:)

On the bright side though the machine booted to ehshell.exe without issue.  Also, when you boot to ehshell.exe and run the PowerDVD.mcl program or the HD-DVD workaround .xml file, the media center shell drops you to a black screen and runs PowerDVD without issue.  So those workarounds, your modifications, changing the PowerDVD skin to one with a black background, and choosing the black background option in Media Center make it appear that PowerDVD is really running within VMC rather than dumping you to the explorer.exe desktop.   

I can't wait to get this implemented.:)

I was researching how to change the shell for a particular user since I messed up the last time I tried and came across this article on how to do it with XP embedded.  It works for Vista as well...so at least I now have two users with different shells.  Using the control password2 command gets it booting directly into 'ehshell.exe" for the media center account and 'explorer.exe' for the config account. 

http://msdn2.microsoft.com/en-us/library/ms838576.aspx

im sure its probubly just because im dumb, but that page made absolutely no sence to me! And im too scared of it to do any of the changes.

If there is an easier (less chance of major messup) way to doing it please let us know :-)!

Could this method be used in conjunction with the concurrent remote desktop session hack?  e.g. to enable multiple remote users to log in and experience the Media Center shell directly?  If they did do this, and a second user tried to use the Live TV functionality, what would happen?

cheers,
Ben