Mayayana
| There's nothing "clandestine" or "semi-secret" about it.

It's clandestine insofar as people generally don't see admin effects in their own settings. It's secret insofar as many common settings are not well documented. In some cases, with recent versions of Internet Explorer, there may be a message shown saying something like "This setting has been adjusted by your administrator". But in general, the group policy settings, and others like them, have been designed to override user choice throughout the Windows OS without letting the user of the computer know about it. For example, user-level IE security settings show in the security tab of Internet Options. But there's a particular Registry setting, not commonly known, that will override those with machine-level settings controlled by admin. (Or malware.) The person adjusting their own settings is deliberately misled.

| Anybody with a | copy of the Administrator's Pocket Companion has a lot of information | about it,

Obviously, anyone who learns all about the ins and outs of the Windows Registry will be able to find out what their administrator is doing.... assuming admin hasn't disabled Registry tools in the Group Policy Editor, in which case one will be unable to run Regedit; and no explanation will be provided. But the settings work *because* they're secret for all practical purposes. Many admins don't even understand much of it. They're trained to run various scripts that adjust settings on company workstations. Often the people running the scripts have little understanding of what the scripts do.

IE security settings alone can be controlled from 8 different locations, only 4 of which are available at user-level; only one of which is commonly known.... On Windows 7 a special command-line operation is required to enable oneself to log on as a real administrator, with actual admin rights.... It's all designed to prevent people from understanding it, because Windows is designed to be a corporate workstation OS used by employees who have no business doing anything but their assigned work on their PC.

| Administrators generally don't give employees a list of group policies | that have been set mostly because it wouldn't make much sense to them if | they weren't IT people. |

The whole point of admins is to control use of company computers to prevent damage, security problems, etc. The whole point of group policy settings is to control the computer at a level *not accessible to employees*. Secrecy, obscurity and manufactured abstruseness are the main means of making it all work as intended, while minimizing confrontation between admin and employees.

That's what group policy is all about. That's what circuitous, obscure Registry settings are all about. That's why the Internet has thousands of Windows tweak sites... Because Microsoft systematically designs the system so that most people will never understand it. (Of course, it also doesn't hurt Microsoft's bottom line that they've created a trumped up system of paid-for courses and certifications through their Rube Goldberg system of manufacturing abstruseness. And it helps the IT "ecosystem": Just like other professional certifications and licenses, the system inflates the income levels of people who do Windows IT work.)