Announcement

Collapse
No announcement yet.

Disabling executable files

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Disabling executable files

    Hi!

    Is it possible to disable a user to run any .exe programs except the ones you give access to!
    This is on a Windows XP Professional Edition Service Pack 2.
    The user in question is a "Limited User" and the computer is a stand-alone unit (Not connected to a server).

    Any help would be appreciated!!!
    I am Nobody. Nobody's Perfect therefore, I'm Perfect!

  • #2
    Re: Disabling executable files

    If you do that, your user can't use the machine...nothing will work.

    Do this to make that possbile.

    Do search on the PC and look for *.exe.
    Select all exe file and take out exec permission from the user.

    That will really screw up.

    Thank you.
    MCP, MCSA+messaging, MCDBA, OCA.

    Comment


    • #3
      Re: Disabling executable files

      "Software Restriction Policies"

      An effective way of using a path rule is to create a default rule that prevents users from executing anything at all. You can then create other rules that allow users to execute programs found in system related paths. It is important to allow users to execute files in system related paths because otherwise Windows will not function correctly. The paths that you must permit access to are:

      %userprofile%
      %windir%
      %appdata%
      %programfiles%
      %temp%
      And the network installation path (access to msi-packages)
      http://forums.petri.com/showthread.p...0263#post60263

      After that is set, ...

      Now use Hash rules for specified users to further close access to programs in any of the pathes you did allowed in the path-rule.
      example: http://forums.petri.com/showthread.p...7136#post57136


      Originally posted by Skie
      the computer is a stand-alone unit (Not connected to a server).
      No GPO, then you must set the rules manualy on the standalone computer.
      (Gpedit.msc or customized Security .inf -files:
      - http://www.microsoft.com/technet/sec.../xpsgch06.mspx
      - http://www.microsoft.com/technet/sec.../xpsgch05.mspx )

      \RemS
      Last edited by Rems; 20th March 2007, 11:52.

      This posting is provided "AS IS" with no warranties, and confers no rights.

      __________________

      ** Remember to give credit where credit's due **
      and leave Reputation Points for meaningful posts

      Comment


      • #4
        Re: Disabling executable files

        Ignore hyeongkim - he knows not what he says.

        You should look at "Software Restriction Policies". These will allow system functions to run, but will only allow the user to initiate the programs you specify. However, you may be surprised how many programs are required to make a user's day go smoothly!!

        Software Restriction Policies can be set in Group Policy in a Domain, or if this is a home or non-domain machine they can be set in "Local Computer Policy".

        Sorry Rems I think we posted at the same time...


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment


        • #5
          Re: Disabling executable files

          Well, policies would be best, as these guys say, but just thinking from another angle here, you can hide the Start button and drop a few icons on his desktop.

          See http://www.petri.com/startbut.htmfor a download program (startbut.exe) that allows you to disable the start button with the syntax:
          StartBut /enable | /disable | /hide | /show
          Be VERY careful with this program! and always make sure there is a "way out" if you disable or hide the start button. So make sure there is a "shutdown" link on the desktop (make a shortcut to "shutdown -s"), or a "Logoff" link.

          it's not perfect, because you can always run a program from Task Manager, but will the "Limited user" know that? Maybe someone has an idea about getting around that one?
          Best wishes,
          PaulH.
          MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

          Comment


          • #6
            Re: Disabling executable files

            Originally posted by PaulH View Post
            Well, policies would be best, as these guys say, but just thinking from another angle here, you can hide the Start button and drop a few icons on his desktop.

            See http://www.petri.com/startbut.htmfor a download program (startbut.exe) that allows you to disable the start button with the syntax:
            StartBut /enable | /disable | /hide | /show
            Be VERY careful with this program! and always make sure there is a "way out" if you disable or hide the start button. So make sure there is a "shutdown" link on the desktop (make a shortcut to "shutdown -s"), or a "Logoff" link.

            it's not perfect, because you can always run a program from Task Manager, but will the "Limited user" know that? Maybe someone has an idea about getting around that one?
            That is a very good idea. Also, you can remove individual buttons from the Security Dialog with local policy; which would enable you to remove nasty ones like "Task Manager" and "Shut Down". I believe that removing "Task Manager" also removes it from the taskbar context menu.


            Tom
            For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

            Anything you say will be misquoted and used against you

            Comment


            • #7
              Re: Disabling executable files

              Originally posted by Stonelaughter
              Sorry Rems I think we posted at the same time...
              Not at all, now it more conviceable that this is considerable solution.


              Otherwise, maybe more efficient for this case would be a thirtparty tool called "WinU".
              http://forums.petri.com/showthread.p...2218#post58623


              \Rem

              This posting is provided "AS IS" with no warranties, and confers no rights.

              __________________

              ** Remember to give credit where credit's due **
              and leave Reputation Points for meaningful posts

              Comment

              Working...
              X