Applications - Restrict Applications Users Can Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. Value Name: RestrictRun
Open your registry and find the key [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer]
Create a new DWORD value and name it "RestrictRun" set the value to "1" to enable application restrictions or "0" to allow all applications to run.
Then create a new sub-key called
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer\RestrictRun]
and define the applications that are allowed. Creating a new string value for each application, named as consecutive numbers, and setting the value to the filename to be allowed (e.g. "regedit.exe" and "calc.exe").
Explained: DK
This example prevents any applications but those that you specify from being run:
Right click in the Right pane and select New, DWord value and name the new value RestrictRun Double click this entry and set it to 1. Right click on the Explorer sub branch, in the left pane and select New, Key Name the new key RestrictRun. Highlight this key, then in the right pane, right click and select New, String value. Give it "1" for the name, without the quotes. Double click this new value and enter the actual file name of the executable you wish to restrict this user from running. Example: calc.exe Right click again, select New, String value, name the new value "2". Double click the new value, enter REGEDIT.EXE
This example would only allow Calculator and REGEDIT to be run. Be VERY careful with this setting. You could wind up locking yourself out of REGEDIT if you were to use the restrictions on your Administrator account.
Restart Windows for the changes to take effect.
Note: If you are the person who applies Group Policy, do not apply this policy to yourself. If applied too broadly, this policy can prevent administrators from running Group Policy or the registry editors. As a result, once applied, you cannot change this policy except by reinstalling Windows XP.
Software Restriction Policies may be set to determine what software may or may not be run by users on the system. (Jim Cavalaris [MS]
Software Restriction Policies can be configured via the group policy editor (gpedit.msc) at:
Local Computer Policy -->Computer Configuration -->Windows Settings -->Security Settings -->Software Restriction Policies. Policy can be set to either: restrict users from running specified programs - OR -restrict users to allow ONLY the specified programs to be run.
For a non-domain machine, policy can be applied to all users on the system, or non-Admin users only (Admins are not affected by the policy, and may run any/all programs). you cannot specify this policy for only certain users, but for a non-domain machine, the Admin/non-Admin breakdown may be sufficient.
Another Option - (KWE) -
You can move shortcuts out of %ALLUSERSPROFILE%\StartMenu\Programs and place the shortcuts in specific user account profiles to keep program shortcuts from being visible to all accounts. This does not stop the limited account from running the program using a variety of techniques.

Comments