xrfang wrote:1) As madSecurity in fact operate certain registry keys, this can also be acomplished by using the regedit. Is it possible that I disallow the usage of registry editor for some user? Further more, what will happen if a user use a 3rd party program (e.g., RegEditX by dcsoft) to edit the registry?
The whole registry security access right scheme makes sense only if you fully take away the access rights to the keys for the current user. As a result even if the user can start regedit.exe, he can't himself get the access rights back. Only a user that still has rights to change the security attributes can change the settings again.
However, if you take away *all* access rights, auto run will not work, anymore, because then even the explorer can't read the run key, anymore. So ideally you should leave read rights intact, while only removing write/change rights. A bit tricky, but it should be possible.
xrfang wrote:2) Is it convenient that you point me a way (an example) of madSecurity (like I said in the previous post)?
Please first test with regedit.exe whether it works. If you find out that it does what you need, we can talk afterwards about how to realize this with madSecurity.