How to Disable Control Panel Access in Windows

By CtrlOne Team ·

Control Panel and the Settings app are where users can undo the very protections IT puts in place - changing network settings, removing software, disabling security features, or breaking a carefully configured machine. On shared, kiosk, and locked-down devices, restricting that access is essential. Here is how to disable Control Panel access in Windows and do it cleanly.

Disabling Control Panel and Settings access in Windows - CtrlOne blog illustration

Why restrict Control Panel and Settings

On any machine that should stay in a known-good state - a kiosk, a classroom PC, a front-desk terminal - Control Panel is a liability. It lets users change configurations, uninstall required software, disable protections, or simply break things and generate support tickets. Restricting it keeps the machine doing its job.

The Group Policy method

On a domain, the built-in setting is 'Prohibit access to Control Panel and PC settings', found under User Configuration → Administrative Templates → Control Panel. Enabling it blocks both the classic Control Panel and the modern Settings app for users in scope, which is important because hiding only one leaves the other open.

The registry method

The equivalent registry value is NoControlPanel (set to 1) under the Explorer policies key, which works on machines that are not domain-joined. Editing it by hand is fine for one machine but hard to keep consistent across many, and a local admin can reverse it.

Hiding specific applets vs. a full block

Sometimes you do not want to block everything - just the risky bits. Windows supports hiding or showing only named Control Panel applets (via the DisallowCpl / RestrictCpl lists), so you can leave, say, display settings available while removing network or user-account applets. This granular approach keeps machines usable while still closing the dangerous doors.

  • Full block: disable Control Panel and Settings entirely.
  • Granular: hide only specific applets and leave the rest usable.

Enforcing it across every device

CtrlOne includes Control Panel and Settings restrictions among its named controls - as a full block or targeted applet hiding - applied across the whole fleet from one console and kept tamper-resistant so users cannot switch them back on. Because it does not depend on a domain, it covers remote and non-domain machines the same way.

Frequently asked questions

How do I disable Control Panel in Windows?

On a domain, enable 'Prohibit access to Control Panel and PC settings' under User Configuration → Administrative Templates → Control Panel. Without a domain, set the NoControlPanel registry value to 1 under the Explorer policies key. Both should cover the classic Control Panel and the Settings app.

Can I block Control Panel but still allow some settings?

Yes. Instead of a full block you can hide only specific applets using the DisallowCpl or RestrictCpl lists, leaving harmless applets available while removing the risky ones like network or user-account settings.

Does blocking Control Panel also block the Settings app?

The 'Prohibit access to Control Panel and PC settings' policy covers both. If you only block the classic Control Panel, users can still reach many options through the modern Settings app, so it is important to restrict both surfaces.

Keep machines in a known-good state

See how CtrlOne locks down Control Panel and Settings across every device from one console.