Announcement

Collapse

Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

Disabling executable files

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • skie
    started a topic Disabling executable files

    Disabling executable files

    Hi!

    Is it possible to disable a user to run any .exe programs except the ones you give access to!
    This is on a Windows XP Professional Edition Service Pack 2.
    The user in question is a "Limited User" and the computer is a stand-alone unit (Not connected to a server).

    Any help would be appreciated!!!

  • Rems
    replied
    Re: Disabling executable files

    Originally posted by Stonelaughter
    Sorry Rems I think we posted at the same time...
    Not at all, now it more conviceable that this is considerable solution.


    Otherwise, maybe more efficient for this case would be a thirtparty tool called "WinU".
    http://forums.petri.com/showthread.p...2218#post58623


    \Rem

    Leave a comment:


  • Stonelaughter
    replied
    Re: Disabling executable files

    Originally posted by PaulH View Post
    Well, policies would be best, as these guys say, but just thinking from another angle here, you can hide the Start button and drop a few icons on his desktop.

    See http://www.petri.com/startbut.htmfor a download program (startbut.exe) that allows you to disable the start button with the syntax:
    StartBut /enable | /disable | /hide | /show
    Be VERY careful with this program! and always make sure there is a "way out" if you disable or hide the start button. So make sure there is a "shutdown" link on the desktop (make a shortcut to "shutdown -s"), or a "Logoff" link.

    it's not perfect, because you can always run a program from Task Manager, but will the "Limited user" know that? Maybe someone has an idea about getting around that one?
    That is a very good idea. Also, you can remove individual buttons from the Security Dialog with local policy; which would enable you to remove nasty ones like "Task Manager" and "Shut Down". I believe that removing "Task Manager" also removes it from the taskbar context menu.

    Leave a comment:


  • PaulH
    replied
    Re: Disabling executable files

    Well, policies would be best, as these guys say, but just thinking from another angle here, you can hide the Start button and drop a few icons on his desktop.

    See http://www.petri.com/startbut.htmfor a download program (startbut.exe) that allows you to disable the start button with the syntax:
    StartBut /enable | /disable | /hide | /show
    Be VERY careful with this program! and always make sure there is a "way out" if you disable or hide the start button. So make sure there is a "shutdown" link on the desktop (make a shortcut to "shutdown -s"), or a "Logoff" link.

    it's not perfect, because you can always run a program from Task Manager, but will the "Limited user" know that? Maybe someone has an idea about getting around that one?

    Leave a comment:


  • Stonelaughter
    replied
    Re: Disabling executable files

    Ignore hyeongkim - he knows not what he says.

    You should look at "Software Restriction Policies". These will allow system functions to run, but will only allow the user to initiate the programs you specify. However, you may be surprised how many programs are required to make a user's day go smoothly!!

    Software Restriction Policies can be set in Group Policy in a Domain, or if this is a home or non-domain machine they can be set in "Local Computer Policy".

    Sorry Rems I think we posted at the same time...

    Leave a comment:


  • Rems
    replied
    Re: Disabling executable files

    "Software Restriction Policies"

    An effective way of using a path rule is to create a default rule that prevents users from executing anything at all. You can then create other rules that allow users to execute programs found in system related paths. It is important to allow users to execute files in system related paths because otherwise Windows will not function correctly. The paths that you must permit access to are:

    %userprofile%
    %windir%
    %appdata%
    %programfiles%
    %temp%
    And the network installation path (access to msi-packages)
    http://forums.petri.com/showthread.p...0263#post60263

    After that is set, ...

    Now use Hash rules for specified users to further close access to programs in any of the pathes you did allowed in the path-rule.
    example: http://forums.petri.com/showthread.p...7136#post57136


    Originally posted by Skie
    the computer is a stand-alone unit (Not connected to a server).
    No GPO, then you must set the rules manualy on the standalone computer.
    (Gpedit.msc or customized Security .inf -files:
    - http://www.microsoft.com/technet/sec.../xpsgch06.mspx
    - http://www.microsoft.com/technet/sec.../xpsgch05.mspx )

    \RemS
    Last edited by Rems; 20th March 2007, 11:52.

    Leave a comment:


  • hyeongkim
    replied
    Re: Disabling executable files

    If you do that, your user can't use the machine...nothing will work.

    Do this to make that possbile.

    Do search on the PC and look for *.exe.
    Select all exe file and take out exec permission from the user.

    That will really screw up.

    Thank you.

    Leave a comment:

Working...
X