Start/Run/GPEDIT/User restrictions. These things can only be changed from
Admin accounts and apply to all user profiles. GPEDIT.MSC is not available
in the Home Edition of Windows XP.
1. Go to Windows Explorer/Document & Settings
2. All Users". Click on Start Menu/Programs and locate the short cut to that
program.
3. Do the same under "specific username" (the username that you want to be
anble to individually use the program.
4. Now "Copy" the shortcut from All Users/Start Menu/Programs to
"username"/Start Menu/Programs.
5. Once the copy process is over, delete the shortcut from All Users (this
is just a safety precaution, you can also right click/drag&drop/move).
More Specific Options:
For Pro: Go to Start/Run/Gpedit/User Configuration/Software Settings
To restrict access to files and folders in XP Home, you must be running NTFS
as your file system.
To enforce file and folder security, boot the computer in Safe Mode and log
in to the built-in Administrator account. Once there, open Windows
Explorer and locate the file/folder you wish to restrict. Right click and
select Properties. Go to the Security tab. Here you can add/remove Users
and Groups, and either grant access to the file/folder, or deny access to
it.
Applications - Restrict Users from Running Specific Applications
This setting allows you to specify applications and filenames that users are restricted from running.
Open your registry and find the key [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer]
Create a new DWORD value and name it "DisallowRun" set the value to "1" to enable application restrictions or "0" to allow all applications to run.
Then create a new sub-key called [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer\DisallowRun] and define the applications the are to be restricted. Creating a new string value for each application, named as consecutive numbers, and setting the value to the filename to be restricted (e.g. "regedit.exe").
Right click in the right pane and select New, DWord value. Name the new value DisallowRun. Double click the new value and set it to 1. Then right click on the Explorer sub branch, in the left pane and select New, Key Name the new key Disallow Run. Highlight this key, then in the right pane, right click and select New, String value. Give it "1" for
the name, without the quotes.
Double click this new value and enter the actual file name of the executable you wish to restrict this user from
running. Example: calc.exe This prevents this user from running Calculator. They'll get a "This operation has been cancelled message" when they try. Note: The way around this is for the user to rename Calc.exe to something else. For additional entries, just give the "values" names in numerical order, 1, 2, 3, 4 and so on. DisallowRunReg and DisallowRunCalc
Restart Windows for the changes to take effect.
Applications - Restrict Applications Users Can Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. Value Name: RestrictRun
Open your registry and find the key [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer]
Create a new DWORD value and name it "RestrictRun" set the value to "1" to enable application restrictions or "0" to allow all applications to run.
Then create a new sub-key called [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer\RestrictRun] and define the applications that are allowed. Creating a new string value for each application, named as consecutive numbers, and setting the value to the filename to be allowed (e.g. "regedit.exe" and "calc.exe").
This example prevents any applications but those that you specify from being run:
Right click in the Right pane and select New, DWord value and name the new value RestrictRun Double click this entry
and set it to 1. Right click on the Explorer sub branch, in the left pane and select New, Key Name the new key RestrictRun. Highlight this key, then in the right pane, right click and select New, String value. Give it "1" for the name, without the quotes. Double click this new value and enter the actual file name of the executable you wish to restrict this user from running. Example: calc.exe Right click again, select New, String value, name the new value "2". Double click the new
value, enter REGEDIT.EXE
This example would only allow Calculator and REGEDIT to be run. Be VERY careful with this setting. You could wind up locking yourself out of REGEDIT if you were to use the restrictions on your Administrator account.
Restart Windows for the changes to take effect.
Note: If you are the person who applies Group Policy, do not apply this policy to yourself. If applied too broadly, this policy can prevent administrators from running Group Policy or the registry editors. As a result, once applied, you cannot change this policy except by reinstalling Windows XP.
Software Restriction Policies may be set to determine what software may or may not be run by users on the system. (Jim Cavalaris [MS])
Software Restriction Policies can be configured via the group policy editor (gpedit.msc) at:
Local Computer Policy -->Computer Configuration -->Windows Settings -->Security Settings -->Software Restriction Policies. Policy can be set to either: restrict users from running specified programs - OR -restrict users to allow ONLY the specified programs to be run.
For a non-domain machine, policy can be applied to all users on the system, or non-Admin users only (Admins are not affected by the policy, and may run any/all programs). you cannot specify this policy for only certain users, but for a non-domain machine, the Admin/non-Admin breakdown may be sufficient.
Using Software Restriction Policies in Windows XP and Windows .NET Server to Protect Against Unauthorized Software
Another Option - (KWE) - You can move shortcuts out of %ALLUSERSPROFILE%\StartMenu\Programs and place the shortcuts in specific user account profiles to keep program shortcuts from being visible to all accounts. This does not stop the limited account from running the program using a variety of techniques.
Applications - Set Priority
Open TaskManager (Ctrl+Alt+Del or Ctrl+Shift+Esc), Process Tab. Right click the Program in questions, Set Priority.
Admin accounts and apply to all user profiles. GPEDIT.MSC is not available
in the Home Edition of Windows XP.
1. Go to Windows Explorer/Document & Settings
2. All Users". Click on Start Menu/Programs and locate the short cut to that
program.
3. Do the same under "specific username" (the username that you want to be
anble to individually use the program.
4. Now "Copy" the shortcut from All Users/Start Menu/Programs to
"username"/Start Menu/Programs.
5. Once the copy process is over, delete the shortcut from All Users (this
is just a safety precaution, you can also right click/drag&drop/move).
More Specific Options:
For Pro: Go to Start/Run/Gpedit/User Configuration/Software Settings
To restrict access to files and folders in XP Home, you must be running NTFS
as your file system.
To enforce file and folder security, boot the computer in Safe Mode and log
in to the built-in Administrator account. Once there, open Windows
Explorer and locate the file/folder you wish to restrict. Right click and
select Properties. Go to the Security tab. Here you can add/remove Users
and Groups, and either grant access to the file/folder, or deny access to
it.
Applications - Restrict Users from Running Specific Applications
This setting allows you to specify applications and filenames that users are restricted from running.
Open your registry and find the key [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer]
Create a new DWORD value and name it "DisallowRun" set the value to "1" to enable application restrictions or "0" to allow all applications to run.
Then create a new sub-key called [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer\DisallowRun] and define the applications the are to be restricted. Creating a new string value for each application, named as consecutive numbers, and setting the value to the filename to be restricted (e.g. "regedit.exe").
Right click in the right pane and select New, DWord value. Name the new value DisallowRun. Double click the new value and set it to 1. Then right click on the Explorer sub branch, in the left pane and select New, Key Name the new key Disallow Run. Highlight this key, then in the right pane, right click and select New, String value. Give it "1" for
the name, without the quotes.
Double click this new value and enter the actual file name of the executable you wish to restrict this user from
running. Example: calc.exe This prevents this user from running Calculator. They'll get a "This operation has been cancelled message" when they try. Note: The way around this is for the user to rename Calc.exe to something else. For additional entries, just give the "values" names in numerical order, 1, 2, 3, 4 and so on. DisallowRunReg and DisallowRunCalc
Restart Windows for the changes to take effect.
Applications - Restrict Applications Users Can Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. Value Name: RestrictRun
Open your registry and find the key [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer]
Create a new DWORD value and name it "RestrictRun" set the value to "1" to enable application restrictions or "0" to allow all applications to run.
Then create a new sub-key called [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer\RestrictRun] and define the applications that are allowed. Creating a new string value for each application, named as consecutive numbers, and setting the value to the filename to be allowed (e.g. "regedit.exe" and "calc.exe").
This example prevents any applications but those that you specify from being run:
Right click in the Right pane and select New, DWord value and name the new value RestrictRun Double click this entry
and set it to 1. Right click on the Explorer sub branch, in the left pane and select New, Key Name the new key RestrictRun. Highlight this key, then in the right pane, right click and select New, String value. Give it "1" for the name, without the quotes. Double click this new value and enter the actual file name of the executable you wish to restrict this user from running. Example: calc.exe Right click again, select New, String value, name the new value "2". Double click the new
value, enter REGEDIT.EXE
This example would only allow Calculator and REGEDIT to be run. Be VERY careful with this setting. You could wind up locking yourself out of REGEDIT if you were to use the restrictions on your Administrator account.
Restart Windows for the changes to take effect.
Note: If you are the person who applies Group Policy, do not apply this policy to yourself. If applied too broadly, this policy can prevent administrators from running Group Policy or the registry editors. As a result, once applied, you cannot change this policy except by reinstalling Windows XP.
Software Restriction Policies may be set to determine what software may or may not be run by users on the system. (Jim Cavalaris [MS])
Software Restriction Policies can be configured via the group policy editor (gpedit.msc) at:
Local Computer Policy -->Computer Configuration -->Windows Settings -->Security Settings -->Software Restriction Policies. Policy can be set to either: restrict users from running specified programs - OR -restrict users to allow ONLY the specified programs to be run.
For a non-domain machine, policy can be applied to all users on the system, or non-Admin users only (Admins are not affected by the policy, and may run any/all programs). you cannot specify this policy for only certain users, but for a non-domain machine, the Admin/non-Admin breakdown may be sufficient.
Using Software Restriction Policies in Windows XP and Windows .NET Server to Protect Against Unauthorized Software
Another Option - (KWE) - You can move shortcuts out of %ALLUSERSPROFILE%\StartMenu\Programs and place the shortcuts in specific user account profiles to keep program shortcuts from being visible to all accounts. This does not stop the limited account from running the program using a variety of techniques.
Applications - Set Priority
Open TaskManager (Ctrl+Alt+Del or Ctrl+Shift+Esc), Process Tab. Right click the Program in questions, Set Priority.
No comments:
Post a Comment