Re: XPPro : Restrict the programs a user can run

From: Jim Cavalaris [MS] (jamesca@online.microsoft.com)
Date: 06/12/02 

From: "Jim Cavalaris [MS]" <jamesca@online.microsoft.com>
Date: Tue, 11 Jun 2002 15:23:39 -0700

this option only controls whether those applications can be started by the
windows explorer shell. it does not disallow these processes from being
started. users can still start these programs by other means, such as from
a cmd prompt or taskmgr.

the option can be found in the group policy editor (gpedit.msc), under:

Local Computer Policy
    User Configuration
        Administrative Templates
            System:
            Don't run specified Windows applications

and the description text associated with the policy explains:

This setting only prevents users from running programs that are started by the Windows Explorer process. It does not prevent users
from running programs, such as Task Manager, that are started by the system process or by other processes. Also, if you permit users
to gain access to the command prompt, Cmd.exe, this setting does not prevent them from starting programs in the command window that
they are not permitted to start by using Windows Explorer. 

--
This posting is provided “AS IS” with no warranties, and confers no rights.
"Kent W. England [MVP]" <kwe@mvps.org> wrote in message news:OSaE$BXECHA.2164@tkmsftngp02...
> In addition to this technique there are the DisallowRun and RestrictRun
> keys. Use DisallowRun if you want to disable certain specific apps and
> use RestrictRun to only allow certain apps.
>
> Windows Registry Editor Version 5.00
>
> ; set applications policy to explicit denied
> [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Ex
> plorer]
> "DisallowRun"=dword:00000001
>
> ; do not allow following applications to be run
> [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Ex
> plorer\DisallowRun]
> "1"="calc.exe"
>
> Windows Registry Editor Version 5.00
>
> ; set applications policy to explicitly allowed
> [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Ex
> plorer]
> "RestrictRun"=dword:00000001
>
> ; permit applications only if explicitly listed below
> [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Ex
> plorer\RestrictRun]
> "1"="regedit.exe"
> "2"="calc.exe"
>
> If the user account is a limited account, it will be difficult for them
> to get around these restrictions and they are simpler than the policy
> settings.
>
> --
> Kent W. England, MS MVP for Windows XP
> (Please respond only in the newsgroup)
>
> Jim Cavalaris [MS] <jamesca@online.microsoft.com> wrote:
>
> > on windows xp and later, Software Restriction Policies may be set
> > to determine what software may or may not be run by users on the
> > system.
> >
> > Software Restriction Policies can be configured via the group policy
> > editor (gpedit.msc) at:
> >
> >     Local Computer Policy -->
> >         Computer Configuration -->
> >             Windows Settings -->
> >                 Security Settings -->
> >                 Software Restriction Policies
> >
> > policy can be set to either:
> > restrict users from running specified programs
> > - OR -
> > restrict users to allow ONLY the specified programs to be run
> > (the scenario you've described).
> >
> > for a non-domain machine, policy can be applied to all users on the
> > system, or non-Admin users only (Admins are not affected by the
> > policy, and may run any/all programs).  you cannot specify this
> > policy for only certain users, but for a non-domain machine, the
> > Admin/non-Admin breakdown may be sufficient.
> >
> > for more information, take a look at the white paper doc at:
> >
> http://www.microsoft.com/windowsxp/pro/techinfo/administration/restricti
> onpolicies/default.asp
> >
> > hope this helps,
> > jim.
> >
> > "Roy Huntley" <roy_huntley@hotmail.com> wrote in message
> > news:cab501c21053$b4f28d80$b1e62ecf@tkmsftngxa04...
> >> I have an XPPro machine at home (not in a domain) with
> >> several user accounts.  I would like to restrict some
> >> accounts so that they can only run specified programs (for
> >> example Outlook and IE).  How is this possible ?
> >>
> >> Thanks
>

Relevant Pages

  • Re: Software Restrictions
    ... When I denied Project Users Read & Apply Policy, ... user could not access any of the restricted applications to include Project. ... >>I want to implement 2 GPOs to restrict certain software. ... >> be applied to the Domain Users security group. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Software Restrictions
    ... > my test user could access all restricted applications to include Project. ... > It seems as though the first policy took affect and skipped the second ... >>>I want to implement 2 GPOs to restrict certain software. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Prevent Application from home directory
    ... Yes you can use SRP (software restriction policy) disallowed path rule to ... restrict your applications under %HOMEDRIVE%%HOMEPATH% ... "Pete" wrote in message ... >> disk quotas to restrict users from having enough ...
    (microsoft.public.win2000.security)
  • Re: Preventing users installing programms...?
    ... Anyhow see the link below for the policy I was mentioning. ... To restrict users from running specific Windows programs on a standalone Windows ... >>can change permissions back to allow execute. ...
    (microsoft.public.win2000.security)
  • Re: preventing users from installing unauthorized softwares
    ... If all clients have their browser configured to use the proxy ... Other applications that require a direct connection ... > policy having no unauthorrized softwares on machines. ... If you were using Windows Server 2003 with Windows XP clients you could ...
    (microsoft.public.win2000.security)