How to Restrict File Explorer Access in Windows

By CtrlOne Team ·

File Explorer is how users reach almost everything on a Windows machine - drives, system folders, network locations, and settings. On locked-down and shared devices, leaving it wide open invites tampering and data movement. Windows file restrictions let you narrow what Explorer exposes. Here is what you can restrict and how to keep it enforced.

Restricting File Explorer access with Windows file restrictions - CtrlOne blog illustration

Why restrict File Explorer

Explorer is not just for opening documents - it is a launch point for drives, system directories, network shares, and context-menu actions that can move or delete data. On kiosks, classroom PCs, and other controlled machines, restricting it keeps users in their lane and prevents them from wandering into places they should not.

What you can restrict

Windows file restrictions cover a surprising range of behavior, from hiding whole drives to disabling individual actions:

  • Hide specific drive letters from This PC (the NoDrives policy).
  • Prevent access to drives even if they are visible (NoViewOnDrive).
  • Remove or limit right-click context-menu actions.
  • Restrict access to system and network locations.

The Group Policy and registry options

Many of these controls live under User Configuration → Administrative Templates → Windows Components → File Explorer in Group Policy, and as registry values under the Explorer policies key for non-domain machines. Hiding a drive uses a bitmask value, which is powerful but fiddly to calculate and easy to get wrong by hand.

The limits of the built-in approach

As with other Windows restrictions, the native tools depend on a domain, can be reversed by a local admin, and offer no central proof of enforcement. Bitmask drive-hiding in particular is error-prone at scale, and settings drift on machines that are offline or off-network.

Enforcing file restrictions with CtrlOne

CtrlOne includes File Explorer restrictions among its managed controls - hiding drives, blocking access, and limiting risky actions - applied across the fleet from one console and kept tamper-resistant. You choose the behavior you want without hand-calculating bitmasks, and it holds on domain and non-domain machines alike.

Frequently asked questions

How do I hide drives in Windows File Explorer?

Use the NoDrives policy under File Explorer in Group Policy, or the equivalent registry value, which uses a bitmask to specify which drive letters to hide. To block access even when a drive is visible, combine it with NoViewOnDrive.

Can I stop users from accessing certain folders through File Explorer?

Yes. Beyond NTFS permissions, Windows file restrictions can hide drives, prevent access to visible drives, and limit context-menu actions. Enforcing these consistently across many machines is where a managed policy layer helps.

Why do File Explorer restrictions stop working on some machines?

Native restrictions depend on the domain, can be reversed by local admins, and are not applied to offline or non-domain devices. Tamper-resistant, centrally managed enforcement keeps the restrictions in place everywhere.

Narrow what File Explorer exposes

See how CtrlOne hides drives and locks down File Explorer across every device from one console.