Firstly, security on Windows is not for the faint-hearted.

You might be able to use the module Win32::FileSecurity on a registry key. It allows you to create ALLOW Access Control Entries (ACEs) on the Discretionary Access Control List (DACL), using bit flags. Fortunately a function is provided (MakeMask) to construct the flag. The Get function puts the existing DACL into a hash, where the usernames are the keys and the values are the permission bit flags. This can then be altered or set using the Set function.
There are also functions for interrogating and translating the existing DACL.

If you require to create DENY ACEs then we have to use the Win32 API, either from the Win32::API modules, Win32::Security::ACL or using XS. Either way, we have to know a lot about Win32. Win32::Security::ACL comes with two scripts: PermDump.pl and PermChg.pl.

However, the simpest way is to call an external program to do this for you, using, for example system. You can use the Microsoft command-line program cacls, which is fairly easy to use. It is documented in the online help (Windows XP) and at http://support.microsoft.com/kb/162786/en-us. For example:

system("echo y|cacls gash.pl /E /G BUILTIN\\Users:R");
[download]

It may output a prompt (depending on the action) "Are you sure (Y/N)?", which is why we have the echo y| in the example (see http://support.microsoft.com/kb/135268). Alternatively use xcacls.exe from the Windows Resource Kit - this version does not prompt.

At Windows Vista and Windows 7 the cacls program still works but is deprecated in favour of the more powerful icacls program.