On our workstations this key is not accessible for our restricted users. This is to prevent they would create keys, so UsrClass.dat won't grow. However, the Registry ACL makes no notice of an USERS being denied for Read or being denied for All Access. Also, the file permissions on its UsrClass.dat are unmodified, all just like in a normal XP installation it seems. I'm thinking about a GPO, or is there another technique? Which one would prevent reading from the HKCU\Software\Classes directory? Does anyone know how I can reproduce this error to harden my other PCs?