The Application Security application lets the administrator decide exactly which programs clients can execute. However, while this feature gives the administrator a great deal of control, the administrator must manually authorize every executable that the client will run. This may be a good solution if the administrator intends for clients to run only a few applications. However, if the clients will be running more than a few applications, the administrator may find that using policies and profiles or an NTFS file and directory permissions is a better solution.
You can start the Application Security application from the Start/Programs/Administrative Tools menu, or at the command prompt with the APPSEC command. When you start the utility, you first have the option to enable or disable security. This gives administrators a quick way to turn off security if something does not work.
If Application Security is set so that a user can run no applications, after security has been enabled, a client can still attempt to connect to the Terminal Server. Administrators can always connect, because Application Security does not affect them. Non- administrative clients will receive an error when they attempt to log on:
At the Terminal Server, the administrator can add Explorer.exe to the list of authorized applications. To do this, run the Application Security application and choose ADD. Browse for the application or enter the path:
If the non-administrator user tries to connect to the Terminal Server at this point, an error similar to the following will occur:
This is the standard error message seen when users attempt to run unauthorized applications. Occasionally, the error will occur without a file name being displayed (<blank> is not a valid Windows NT application). If this happens, the administrator needs to look at the properties for the unauthorized application, to determine which executable needs to be added in Application Security.
With Explorer.exe and SysTray.exe authorized, the client should be able to view the Desktop. Some functions (such as Find) that are part of Windows Explorer will run, but most will generate the "not a valid Windows NT application" error until the administrator authorizes the application.