none
Problems in configuring software restriction policy to block all application except those which are already installed. RRS feed

  • Question

  • I don't want any standard user to run any application expect those which are already installed, so I created a path rule in software restriction policy and disallowed all applications (.exe, .msi & .msp) except those which are present in windows & program files folder. But problem is that some applications (like Matlab) require access to PROGRAM DATA (like Java) and APP DATA FOLDER which contain many executables. If I allow those folders, standard users are able to copy any portable application into those folder & run it from there. That means users are able to write into those folders.
    However, I can create path rule for all executables present in those folders and allow them, but they too many of them, so its not convenient to create rules one by one.

    Also I have personal folder in Local Drive (D) which contains some useful portable applications, so I want to allow that folder and at same time make it write protected so that standard user cannot copy any other application and run it at their own will.

    Any solution?

    System Details:

    Windows 7 Ultimate 32 bit service pack 1

    Saturday, July 15, 2017 1:51 PM

All replies

  • Hi,

    According to your description, it seems that you want to allow standard user run specified application only.

    We could achieve your desire through Group Policy configuration.

    User Configuration\Administrative Templates\System\Run only specified Windows Applications\Enabled\Show\enter the name of the application which you want to run

    For detailed steps, please refer to the link:

    http://www.thewindowsclub.com/how-to-configure-windows-to-run-only-specified-programs

    (This setting only prevents users from running programs that are started by the Windows Explorer process.)

    NOTE: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites.

    Bests,

    Joy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 17, 2017 6:49 AM
    Moderator