HOW TO: Restrict Users from Running Specific Windows Programs in Windows 2000

Article translations Article translations
Article ID: 323525 - View products that this article applies to.
This article was previously published under Q323525
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy.
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy.
Expand all | Collapse all

On This Page

SUMMARY

This step-by-step article describes two methods that you can use to restrict users from running specific Windows programs on a Windows 2000-based computer. You can restrict users from running specific programs by either using Group Policy or editing the Windows registry.

Method 1: How to Restrict Users from Running Specific Windows Programs by Using Group Policy

To use Group Policy Object Editor to restrict users from running specific Windows programs, use the procedure that is described in the section that is appropriate to your situation.

Editing the Local Policy on a Windows 2000-Based Computer

To restrict users from running specific Windows programs on a standalone Windows 2000-based computer:
  1. Click Start, and then click Run.
  2. In the Open box, type gpedit.msc, and then click OK.
  3. Expand User Configuration, expand Administrative Templates, and then expand System.
  4. In the right pane, double-click Don't run specified Windows applications.
  5. Click Enabled, and then click Show.
  6. Click Add, and then type the executable file name of the program that you want to restrict users from running. For example, type iexplore.exe.
  7. Click OK, click OK, and then click OK.

    NOTE: If domain-level policy settings are defined, they may override this local policy setting.
  8. Quit Group Policy Object Editor.
  9. Restart the computer.

Editing the Group Policy in a Domain

To edit a domain-wide policy to restrict users from running specific Windows programs:
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Right-click your domain, and then click Properties.
  3. Click the Group Policy tab.
  4. In the Group Policy Object Links box, click the group policy to which you want to apply this setting. For example, click Default Domain Policy.
  5. Click Edit.
  6. Expand User Configuration, expand Administrative Templates, and then expand System.
  7. In the right pane, double-click Don't run specified Windows applications.
  8. Click Enabled, and then click Show.
  9. Click Add, and then type the executable file name of the program that you want to restrict users from running. For example, type iexplore.exe.
  10. Click OK, click OK, and then click OK.
  11. Quit Group Policy Object Editor, and then click OK.

    NOTE: Group Policy changes are not immediately enforced. For more information, see the Troubleshooting section.

Method 2: How to Restrict Users from Running Specific Windows Programs by Editing the Registry

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

To restrict users from running specific Windows programs by editing the registry, follow these steps:
  1. Click Start, and then click Run.
  2. In the Open box, type regedit, and then click OK.
  3. Create a DWORD value named DisallowRun. To do so:
    1. Locate and then click the following registry key:
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer
    2. On the Edit menu, point to New, and then click DWORD Value.
    3. Type disallowrun, and then press ENTER.
    4. Double-click the DisallowRun value that you created in the previous step.
    5. Type 1 in the Value data box, and then click OK.
  4. Create a new HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer\DisallowRun subkey. To do so:
    1. Right-click the following registry key, point to New, and then click Key:
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer
    2. Type disallowrun, and then press ENTER.
  5. For each program that you want to prevent users from running, create a new string value in the DisallowRun subkey that you created in step 4. Use consecutive numbers to name the string values (starting with 1), and use the executable file name for the program as the data for the string value.

    For example, if you want to restrict users from running Microsoft Internet Explorer:
    1. Right-click the following registry key, point to New, and then click String Value:
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer\DisallowRun
    2. Type 1, and then press ENTER.
    3. Double-click the 1 value that you created in the previous step.
    4. Type iexplore.exe in the Value data box, and then click OK.
  6. Quit Registry Editor, and then restart the computer.

Troubleshooting

Group Policy background processing can take up to 5 minutes to be refreshed on domain controllers and up to 120 minutes to be refreshed on client computers. To force background processing of Group Policy settings, use the Secedit.exe tool:
  1. Click Start, and then click Run.
  2. In the Open box, type cmd, and then click OK.
  3. Type secedit /refreshpolicy user_policy /enforce, and then press ENTER.
  4. Type secedit /refreshpolicy machine_policy /enforce, and then press ENTER.
  5. Type exit, and then press ENTER to quit the command prompt.

REFERENCES

For additional information about using Secedit, click the article number below to view the article in the Microsoft Knowledge Base:
227302 Using Secedit to Force a Group Policy Refresh Immediately
For additional information about Group Policy, visit the following Microsoft Web site:
http://download.microsoft.com/download/5/2/f/52f3dbd6-2864-4d97-8792-276544ad6426/grouppolwp.doc

Properties

Article ID: 323525 - Last Review: October 30, 2006 - Revision: 4.5
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
Keywords: 
kbhowto kbhowtomaster KB323525

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com