On Windows 10 LTSC. Here is some backgrounds.
I have a system consists of several applications, they are launched with a batch file when system starts up. The Windows where the system runs on should be hardened, user can only access the software system, no other Windows tools, such as Desktop, explorer, task manager, gpedit, regedit, etc.
To achieve this, I was thinking to create a user "test" and to launch a script for it instead of explorer.exe, and user test should not be able to launch desktop. The only script it can launch is the one designated to it.
And for Administrator, everything should be normal, that is explorer is still the shell to launch and desktop works fine.
I tried this by adding key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell for user test. The application or script can be launched after user test logged on, but user test still can launch desktop after running explorer.exe command.
Then I modified key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell. Now the desktop is disabled, however every user including Administrator is affected by this setting.
Is there any way to set different shell for different user and disable desktop for specific user?