Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here


Allow user to only run specific application

Allow user to only run specific application

Allow user to only run specific application

I have an XP Pro system with a business application that I want to be the only program that runs for a particula user. I have created a user which is a member of a group that I also created. I have the PC set up to auto login and start the app, but the user can also access other apps and games. I want to only allow this business app to run and allow log off or shut down. I have other accounts set up so that office managers can access the other programs, but the main function of this system is to run the one app and that is it. Is there something that I can set in the policy editor that will only affect the particular user/group? Any suggestions will be greatly appreciated.


RE: Allow user to only run specific application

Summarized from http://www.serverwatch.com/tutorials/print.php/10825_22...

Software Restriction Policies are configured on per-computer or per-user basis, their respective nodes are located in both the Computer and User Configuration node in the Group Policy Object Editor MMC snap-in. In both cases, the Software Restriction Policies folder is located under Windows Settings -> Security Settings node. Initially, the folder is empty, but once a new set of Software Restriction Policies is created (from the context-sensitive or Action menu), two subfolders -- Security Levels and Additional Rules -- are automatically created with it.

The Security Level, which is set to Unrestricted or Disallowed, determines the default software restrictions behavior. If Unrestricted is selected, all software is allowed to run (still being a subject to standard permissions); while the Disallowed setting prevents users from running any software. The exceptions to the default behavior are defined using settings within the Additional Rules folder.

Additional Rules contains settings for rules matched against software that users might attempt executing on the computers or users within the scope of the group policy. If the Security Level is set to Unrestricted, programs matching criteria defined by the rules will not be allowed to run. On the other hand, if the Disallowed Security Level has been selected, users are restricted to running programs that satisfy settings in Additional Rules.

The four definable types of rules are:

. Hash Rule is used to identify a file (typically an executable) based on its hash. Hash is a sequence of characters (of fixed length) likely to be unique for every file. This rule is especially effective when preventing users from running specific applications.

. Certificate Rule is used to identify software based on a certificate (implying software programs are digitally signed). Defining such rules requires access to a file containing the same certificate used to sign the relevant software program. By default, certificate rules will not function without additional configuration. Therefore, for the certificate rule to take effect, you must also enable System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies under Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. Keep in mind that the scope of the Software Group Policies should overlap with the scope of the Group Policy Object containing this setting.

. Path Rule contains a file system or registry path (specified directly or via environment variables, such as %userprofile%, %windir%, %appdata%, %programfiles%, or %temp%), where software program is located.

. Internet Zone Rule applies only to the Windows Installer packages and takes into consideration Internet zones (local computer, local intranet, trusted sites, restricted sites, and Internet) from which the installation of such package is attempted.

For each type of rule, you can specify security level, which means you can have multiple rules with varying security levels. In case of a conflict between different types of rules, the most specific ones will take precedence (Hash, Certificate, Path, and Internet Zone -- from the highest to the lowest). If there are conflicts within the same type of rule, the one with the more specific setting will take effect. Finally, if two rules have identical settings, the most restrictive will prevail.

In addition to options described above, there are also three settings located directly in the Software Restriction Policies folder:

. Enforcement setting determines whether the defined rules apply to each individual file or whether library files (such as DLLs) are excluded. The second option, which is the default, is the more sensible one, since it does not force you to investigate every single file involved in the applications' execution. In addition, another set of options grouped under the Enforcement setting allows the exclusion of local administrators from software restrictions imposed by the policy.

. Designated File Types setting allows the specification of file extensions that will be considered as executable by the Software Restriction policies.

. Trusted Publishers setting includes options for managing certificates (used when defining Certificate Rules). You can limit rights to modify list of trusted publishers to local or enterprise administrators. In addition, you can specify the properties to be verified when checking for revoked certificates (Publisher and Timestamp are the only options).

RE: Allow user to only run specific application

Here's an interesting alternative (never tried it) it might or might not be useful.

Changing the shell

RE: Allow user to only run specific application

Here's a registry fix ..... not sure if it's what you are looking for. You might have to set it for all users you want to be "resrticted". But then saving a reg file and exporting is easy once you get the settings for one user right. Two Steps:

Value Name: RestrictRun
Value Key:  1 (DWORD)

Next create a new sub-key called [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun]

In this Restrict Run include all applications that you DON'T want user to run e.g. cmd, outlook.exe

So create a String type key

Value Name: 1
Value Key:  cmd    

ValueName: 2
Value Key: outlook.exe

"I might have created ctrl+alt+del,
But Bill made it famous" - Dr. Dave

RE: Allow user to only run specific application


There are terrific reasons for using the Group Policy editor.

RE: Allow user to only run specific application


Was hesistant cuz I have XP Home at Home, and XP pro for work - so it's easier to test the registry changes at home. Well am stuck with a NT today.

Will look into the GP thing more tonight.

"I might have created ctrl+alt+del,
But Bill made it famous" - Dr. Dave

RE: Allow user to only run specific application

XP Home does not have the granularity available in Policy that XP Pro has, and does not include the necessary utility gpedit.msc

This will be clearer when in front of an XP Pro machine you do a Start, Run, gpedit.msc

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close