How to restrict what applications users of the network are able to run on their workstations.
Method 1: To restrict users from running specific applications, multiple registry keys must be created. The first key enables the policy in Windows. Remember this policy is effective in Windows 2000/ME/XP only, so be sure to configure your Validation Logic accordingly. Use the Registry tab within ScriptLogic to add an element with the following settings (See Figure 1):
Action: WriteValue Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Type: REG_DWORD
Value: DisallowRun
Data: 1
Each subsequent registry key that is created indicates exactly which applications the user is not allowed to execute. For each application you wish to restrict, create an entry on the Registry tab within ScriptLogic with settings similar to the following (See Figure 2):
Action: WriteValue Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Type: REG_SZ
Value: AOL Instant Messenger
Data: AIM.EXE
In this example we have denied the users ability to execute AOL Instant Messenger. The "Value" field in the registry setting above is for description purposes only. The "Data" field is used to indicate the executable that has been restricted. You may create as many of these keys as necessary to enforce your network policy.
Method 2: To restrict users from running any application other than those you have approved, multiple registry keys must be created. The first key enables the policy in Windows.
Note: This approach requires alot of forthought and research. Remember, this policy restricts the execution of all applications, including things as simple as CACL.EXE or IEXPLORE.EXE. Your logon script executes just as any other application, and when ScriptLogic calls on an executable such as MAKESCUT.EXE or SLEXEC.EXE, these must have been provided for while configuring this policy or else they too will fail. It is much more desireable to use the 1st method listed above when attempting to restrict the application a user is allowed to run. This 2nd method has been provided for environments other than 2000/ME/XP where a high level of lockdown is desired.
Use the Registry tab within ScriptLogic to add an element with the following settings (See Figure 3):
Action: WriteValue Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Type: REG_DWORD
Value: RestrictRun
Data: 1
Each subsequent registry key that is created indicates exactly which applications the user is allowed to execute. For each application you wish to allow, create an entry on the Registry tab within ScriptLogic with settings similar to the following (See Figure 4):
Action: WriteValue Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
Type: REG_SZ
Value: Microsoft Word
Data: WINWORD.EXE
In this example we have denied the users ability to execute any application other than Microsoft Word. The "Value" field in the registry setting above is for description purposes only. The "Data" field is used to indicate the executable that has been allowed. You may create as many of these keys as necessary to enforce your network policy.
Note: Slogic.bat is the Desktop Authority login script that runs for your users. If you are following method 2 and implementing this through a policy then you will need to specify Slogic.bat to be enabled to run, it will then enable our script to run for your users.
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center