In Windows CE you can restrict the functionality of your device, by enabling something called the 'admin policy restrictions'.

to enable, delete the key 'Redirect' from 'HKEY_LOCAL_MACHINE\ControlPanel\AdminPassword'

this key controls what is restricted:

or under [HKEY_LOCAL_MACHINE\Security\Policies\Shell] for pocketpc 2003.
note: somehow the 'NoExternalExes' key was forgotten in this registry key for ppc2003, causing the admin policy to have no effect. by adding this key value your self, you can make the admin policy work on ppc2003.

a few examples:
passwordmd5 hashed password
ossvcs.dll function 90 is what does the encoding.

so does this:

	perl -MDigest::MD5(md5_hex) -e "print md5_hex(pack('v*', unpack('C*','a.000000'), 0))"
it is the md5 hash of the unicode string including its terminating zero .

how is it implemented

looking at where the string 'NoExternalExes' is referenced:
ossvcs.dll ordinal 29
called from cefobj.dll ceshell.dll cplmain.cpl rapisrv.exe shell32.exe
ossvcs.dll ordinal 91
called from cplmain.cpl
ossvcs.dll ordinal 117
called from syscsps.dll
referenced from the registry.