Video: Lock down Windows 7 to run only specified applications

Bill Detwiler shows you how to use the Local Group Policy Editor to make Windows 7 run only the applications you approve.

If you support Windows machines located in kiosks, libraries, community centers or other public places, it's probably a good idea to specify which applications users can run and which they can't. During this week's episode of TR Dojo, I show you how to use the Local Group Policy Editor to make Windows 7 run only the applications you approve.

Warning: What to do if things go wrong

Using the Local Group Policy Editor incorrectly can have serious, negative consequences. For example, if you enable the Run Only Specified Windows Applications policy, and then fail to specify mmc.exe (Microsoft Management Console), regedit.exe (Registry Editor), or cmd.exe (the command line shell) as allowed applications, you may have a very difficult disabling the policy or modifying the list of allowed applications.

If you need to disable this policy but have locked yourself out of the mmc or regedit, you can use the REG command to delete the registry value that corresponds to the Run Only Specified Windows Applications policy. Deleting the entry will remove the restriction, and let you run gpedit.msc (the Group Policy snap-in for the MMC). You can then disable the policy through the Local Group Policy Editor.

The value you need to delete is:


You can use the following REG command to delete the value:

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ /v RestrictRun

You'll need to open the Command Prompt window using Run as Administrator to execute the command. Also, if you enabled the Run Only Specified Windows Applications policy and didn't specify any allowed applications, cmd.exe will not run, and you won't be able to use REG command. In this case, you'll need to either edit the registry remotely or from an external boot environment. If you did specify at least one allowed application, you can copy and rename the cmd.exe file, using the allowed application's filename. You can then run the renamed copy of cmd.exe.

Text transcript of the video

For those who prefer text to video, you can click the Transcript link that appears below the video player window or check out Jack Wallen's article, "How do I allow Windows 7 users to run only specific applications?"

You can also sign up to receive the latest TR Dojo lessons through one or more of the following methods:


Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

Editor's Picks