Microsoft

How do I allow Windows 7 users to run only specific applications?

Jack Wallen walks you through the process of enabling users to only execute specific applications using the built-in Group Policy Editor of Windows 7.

There are times and instances where you, as the administrator of a network or group of machines, want the users to be able to run only certain applications. Kiosk machines, library machines, educational machines, community machines -- there are plenty of reasons for doing this and a few methods for achieving it. One of those methods is built in to Microsoft Windows 7 (with the exception of Windows 7 Home) with the Group Policy Editor. This tool is powerful and offers numerous features including the ability to limit applications that a user is able to run.

Using this method, a network administrator can limit the users to executing applications based on name. So if you allow the execution of the name Firefox.exe, that means a user can execute an application named Firefox.exe. This will not stop a user from renaming ApplicationX.exe to Firefox.exe and running that. So this method does presume users will either not know instinctively or be willing to figure out how to get around this basic access control.

Prior to undertaking this process, it might be wise to back up the folder C:\WINDOWS\system32 in case this configuration goes south. Should that happen, you can then restore the backup and you will be back to where you started. This backup method isn't foolproof, but it sure beats winding up with a system that cannot start any applications.

So, with that said, this How do I document will walk you through the process of enabling users to execute only specific applications using the built-in Group Policy Editor of Windows 7.

This blog post is also available in PDF format in a TechRepublic download.

Step 1

The first thing you must do is open the Group Policy Editor. You won't find a menu entry for this tool. Instead you start the tool by clicking the Start menu and then entering the command gpedit.msc. When this tool opens, you will find yourself looking at a dual-paned window that looks deceptively simple to use (Figure A).

Figure A

There are quite a few settings that can be tweaked in this tool. I wouldn't advise toying with any of these settings unless you know what you are doing.

Step 2

The next step is to navigate to the correct location of the configuration option we want to change. This is to be found in the following path:

User Configuration | Administrative Templates | System

When you navigate to that path, you will want to click on the System entry to reveal the available settings in the right pane (Figure B).

Figure B

Scroll down in the right pane until you see the entry for Run Only Specified Windows Applications.

Step 3

Double-click on the entry for Run Only Specified Windows Applications to open the preferences for this setting. When this is opened (Figure C), you will need to first make sure Enabled is checked. Once you have done that, the Show button will become available.

Figure C

You can add comments in this window in order to keep track of when this was set up and why. Documentation and tracking is always important for when things are brought up and questioned.

Step 4

The next step is to click the Show button, which will open a small window where you can enter the allowed applications (Figure D). In this window, you will add, one per line, the executable file name (including extension) for each of the applications you want the users to be allowed to execute.

Figure D

Make sure you are thorough in your listing so your users are able to start all necessary applications for work, otherwise you'll be revisiting this window to add more mission-critical applications.

Once you have completed your list of allowed applications, click the OK button and then click OK on the remaining windows to dismiss them. Once these windows are gone, you have completed this task.

After this is set up, when a user attempts to launch an application that is not on the allowed list, they will receive a warning that states "The operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator."

Final thoughts

It's not a perfect system, and on a system with savvy users, it's fairly easy to get around. But for basic purposes, it will stop most of the average users from launching anything not on an allowed list. Also note that this method does not disable any applications that are system processes. So you won't stop everyone using this method, but you will stop plenty of users from launching applications you don't want them to launch.

Stay on top of the latest Microsoft Windows tips and tricks with TechRepublic's Windows Desktop newsletter, delivered every Monday and Thursday. Automatically sign up today!

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

27 comments
Simply Enthused
Simply Enthused

Alright, I know that these comments and this article are fairly "old", but it clearly states in the article "I wouldn't advise toying with any of these settings unless you know what you are doing.".


Also, Mr. Wallen also states that it is advisable the specific folder C:\WINDOWS\system32 just in case you mess up somehow, and judging by most of these comments, I'd say that goes for a majority of everyone here.


This is a well written and thought out article and I thank Mr. Wallen for taking the time in writing this.

abacrotto
abacrotto

Hey, guys!!! My name is Ariel, and I live in Argentina. I am searching for a way to block some users' access to everithing outside one application I will determine later. The owner does not want the computer user to be able to do anything at all but that application. In case there is some repair to do, it will be necessary to logon as an Administrator. But for that to happen it should be necessary for the configuration to be in a per user basis. Does anyone know a way of doing this ? Thanks in advance and sorry for my bad english. Ariel.

mykele80
mykele80

I've the same problem... I can't disable it. What can I do?

reekoazil
reekoazil

Topic of discussion "How do I allow Windows 7 users to run only specific applications?"....I follow every steps......now my system is lock.....run or gpedit command is lock......How do I undo back....help me please

kgraman86
kgraman86

great ,, i have tried with xp sp3 too

Jaqui
Jaqui

just move the apps you don't want them to use from /bin /usr/bin into /sbin /uusr/sbin or uninstall them completely if they aren't needed for the purposes of the business. sbin and /usr/sbin apps can only be used by system admin.

juaniotoo
juaniotoo

Isn't there anything that would make operating a stand alone computer such as mine, some easier settings to the system just for me, me, me and not mess with the Group edit settings. This is so frustrating for stand alone computer people I'm fairly certain. Is there anyone out in computer land with this problem?

dstromstad
dstromstad

You could always use AppLocker. Thats what it is made to do! Dane Stromstad MCP, MCDST, SDP

jc@dshs
jc@dshs

Does this work the same with the gpedit.msc in Windows XP? I followed all of your steps on my XP machine and it seemed to be exactly the same. Does WIndows 7 improve on the XP version or does it have more options or something or is it exactly the same?

darkstate
darkstate

There is another way to restrict programs that MAYBE a bit more suited, even for those users who can and do change the name of their programs to get past your gpedit restriction. Use gpedit as above then goto computer configuration/windows settings/security settings/software restriction policies/additional rules/ then right click in the right hand side panel -new hash rule-browse-find the .exe(program) you want to allow or disallow-In the drop down box of the security level, pick what suits your needs then press ok and you are done. try changing the name of the restricted program and you will see it still stops it from running. This works for viruses/trojans as well that keep popping up, It uses the hash not the name of the program,the program name can change to whatever but the program hash will remain the same. This will also work for those annoying popups some programs use when you do an update,just find the name of the popup program and use the above example to disallow it.

ctran
ctran

It is a simple task and it is very nice. Thank you for your tips.

rlawsonrd
rlawsonrd

Have you tested the applocker policy included in win 7?

Daniel Breslauer
Daniel Breslauer

Pretty easy. Block access to Start Menu items (for example: remove All Programs function, remove run menu/function, disable command prompt, block access to Explorer). Plenty of options in that direction.

Mark W. Kaelin
Mark W. Kaelin

What applications, if any, do you use to enforce user access controls?

Editor's Picks