How do you stop any .exe from being run by a user? We have a win 2000 network in a school with 17-18 year olds, with a strict Group policy setting. We are using User Configuration/ Don't run specified windows apps...this works, until a user discovers they can simply rename an executable to something else and it will run!! This works also for the Run only Windows apps setting, where renaming an app to something like winword.exe results in the app running. Access to the hard drive is restricted, with users having their My Documents folder being redirected to a server share. Is there snything apart from restrictrun that can prevent a user from installing apps??

Thanks

This works with 9x and NT, should for Win2K. Windows give the ability to restrict the applications that can be run by users on a workstation.
1. Use Regedit, find the key below.

2. Change the value of 'RestrictRun' to '1' for enabled or '0' for disabled. Create if it doesn't exist.

3. Define the apps. that are allowed to be run at:
{HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer

Creating a new value for each application, and name them consecutive numbers. For Example:

'1' = c:\windows\notepade.exe
'2' = c:\program file\msoffice\winword.exe

Exit Regedit and reboot for changes to take effect. Let me know if it works on 2000.

Thanks for your reply. The registry settings you have suggested are implemented through the group policy template, which is just a more elaborate version of the NT 4.0 pole edit app. Unfortunately, as in NT 4.0, a user quickly realises that they can run any app by simply renaming it notepad.exe...etc. Thus the issue becomes one of trying to stop a user from installing any app. Through W2k's group policy the C: drive is totally restricted. They are installing in their own My Documnets folder, which resides on a server share. Are there any other registry commands(such as restrictrun), that could be used to restrict Dll's (or any file. for example. RestrictAccess or NoAccess??

Thanks.

You could try to disable the rename command (how I don't know that) One way is to disable the right click function.

Just a thought

i dont know if you have done so but win2k is very good at setting premissions and it gives you choices that the files can be READ ONLY and they cannot rename them, hence they cannot run them.. and you can propagate this on all of the files even later if you install something the files will be read only, you migh have to change somethings, like if you make all the registry read only, some progs will not run, but you can reset premissions with .ini files and a little thing called regini on the resource cd for 2000. you might have to wirte vb scripts that will make temporary copies of folders that will have to be changed during use, but again that is something easy to do for a sys admin..
if you need more info you can email me at bambosz@psu.edu


In the words of Kevin Spacy "I RULE"!!!

This is just a quick shot and needs further research by you:
In Explorer and as Admin right-click on the My Documents icon and select the Properties. In the dialog select the Security tab.
Add... the actual user and Deny him the Read&Execute permission.
Of course you will want to automate this with a script :)
As far as J remember, the difference between beeing member of the predefined groups User and Power User should be, that a Power User may install programs while a User is denied this functionality.

______________
Regards - Richard

yeah-set ntfs rights to 'read only'. prevents users from renaming files.

I to have had this problem. This is what I did and it seemed to work ok. What you do is change the permissions on the server share where there My Documents is at (I'm guessing that everyone is sharing the same share)
set the permissions to special read, write and delete, don't let them have any execute permissions (NOTE: I do believe you need to go under advanced security settings to get just those three). I have done this with NT 4.0 successfully but I'm not running 2000 yet so I haven't tried it there. Please let me know if this works or not.

WES