>Yes, it makes sense to secure certain parts of the registry, but not all of it by any means! NT will allow selective access to the registry, letting the user read from some values and create in others. In most cases, I'd certainly allow applications to access registry keys in HKEY_LOCAL_MACHINE\Software and HKEY_CURRENT_USER\Software, and obviously the operating system needs to be able to access other parts even when non-privileged users are present.
>
>If the restriction is on user access to registry editors, I'm generally in favor of it. There are sections of the registry, certainly specific hives (registry hierarchy segments) that associate with the user, especially for roaming profiles, need to be maintainable, as do software-specific regisry sections, otherwise many apps (like Word) won't work at all.
>
>BTW, it's not the LAN security that's at issue, unless roaming profiles are in use, in which case the LAN Administrator has several powerful tools available such as POLEDIT to maintain system policies regarding access to applications, as well as security features of NT which can lock down sections of the registry from unpriveleged (underprivileged?) users.

Thanks for explanation, and yes, we do use roaming profiles. They're extremely handy when I have to configure 20 training PCs quickly :) But anyway, I guess my concern is that I have so little "control" over registries here that I shy away from trying to use them...and I kind of suspect that the central LAN people would probably prefer that I didn't...