Windows

How do I allow Windows 7 users to run only specific applications?

Jack Wallen walks you through the process of enabling users to only execute specific applications using the built-in Group Policy Editor of Windows 7.

There are times and instances where you, as the administrator of a network or group of machines, want the users to be able to run only certain applications. Kiosk machines, library machines, educational machines, community machines -- there are plenty of reasons for doing this and a few methods for achieving it. One of those methods is built in to Microsoft Windows 7 (with the exception of Windows 7 Home) with the Group Policy Editor. This tool is powerful and offers numerous features including the ability to limit applications that a user is able to run.

Using this method, a network administrator can limit the users to executing applications based on name. So if you allow the execution of the name Firefox.exe, that means a user can execute an application named Firefox.exe. This will not stop a user from renaming ApplicationX.exe to Firefox.exe and running that. So this method does presume users will either not know instinctively or be willing to figure out how to get around this basic access control.

Prior to undertaking this process, it might be wise to back up the folder C:\WINDOWS\system32 in case this configuration goes south. Should that happen, you can then restore the backup and you will be back to where you started. This backup method isn't foolproof, but it sure beats winding up with a system that cannot start any applications.

So, with that said, this How do I document will walk you through the process of enabling users to execute only specific applications using the built-in Group Policy Editor of Windows 7.

This blog post is also available in PDF format in a TechRepublic download.

Step 1

The first thing you must do is open the Group Policy Editor. You won't find a menu entry for this tool. Instead you start the tool by clicking the Start menu and then entering the command gpedit.msc. When this tool opens, you will find yourself looking at a dual-paned window that looks deceptively simple to use (Figure A).

Figure A

There are quite a few settings that can be tweaked in this tool. I wouldn't advise toying with any of these settings unless you know what you are doing.

Step 2

The next step is to navigate to the correct location of the configuration option we want to change. This is to be found in the following path:

User Configuration | Administrative Templates | System

When you navigate to that path, you will want to click on the System entry to reveal the available settings in the right pane (Figure B).

Figure B

Scroll down in the right pane until you see the entry for Run Only Specified Windows Applications.

Step 3

Double-click on the entry for Run Only Specified Windows Applications to open the preferences for this setting. When this is opened (Figure C), you will need to first make sure Enabled is checked. Once you have done that, the Show button will become available.

Figure C

You can add comments in this window in order to keep track of when this was set up and why. Documentation and tracking is always important for when things are brought up and questioned.

Step 4

The next step is to click the Show button, which will open a small window where you can enter the allowed applications (Figure D). In this window, you will add, one per line, the executable file name (including extension) for each of the applications you want the users to be allowed to execute.

Figure D

Make sure you are thorough in your listing so your users are able to start all necessary applications for work, otherwise you'll be revisiting this window to add more mission-critical applications.

Once you have completed your list of allowed applications, click the OK button and then click OK on the remaining windows to dismiss them. Once these windows are gone, you have completed this task.

After this is set up, when a user attempts to launch an application that is not on the allowed list, they will receive a warning that states "The operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator."

Final thoughts

It's not a perfect system, and on a system with savvy users, it's fairly easy to get around. But for basic purposes, it will stop most of the average users from launching anything not on an allowed list. Also note that this method does not disable any applications that are system processes. So you won't stop everyone using this method, but you will stop plenty of users from launching applications you don't want them to launch.

Stay on top of the latest Microsoft Windows tips and tricks with TechRepublic's Windows Desktop newsletter, delivered every Monday and Thursday. Automatically sign up today!

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

26 comments
abacrotto
abacrotto

Hey, guys!!! My name is Ariel, and I live in Argentina. I am searching for a way to block some users' access to everithing outside one application I will determine later. The owner does not want the computer user to be able to do anything at all but that application. In case there is some repair to do, it will be necessary to logon as an Administrator. But for that to happen it should be necessary for the configuration to be in a per user basis. Does anyone know a way of doing this ? Thanks in advance and sorry for my bad english. Ariel.

mykele80
mykele80

I've the same problem... I can't disable it. What can I do?

reekoazil
reekoazil

Topic of discussion "How do I allow Windows 7 users to run only specific applications?"....I follow every steps......now my system is lock.....run or gpedit command is lock......How do I undo back....help me please

kgraman86
kgraman86

great ,, i have tried with xp sp3 too

Jaqui
Jaqui

just move the apps you don't want them to use from /bin /usr/bin into /sbin /uusr/sbin or uninstall them completely if they aren't needed for the purposes of the business. sbin and /usr/sbin apps can only be used by system admin.

juaniotoo
juaniotoo

Isn't there anything that would make operating a stand alone computer such as mine, some easier settings to the system just for me, me, me and not mess with the Group edit settings. This is so frustrating for stand alone computer people I'm fairly certain. Is there anyone out in computer land with this problem?

dstromstad
dstromstad

You could always use AppLocker. Thats what it is made to do! Dane Stromstad MCP, MCDST, SDP

jc@dshs
jc@dshs

Does this work the same with the gpedit.msc in Windows XP? I followed all of your steps on my XP machine and it seemed to be exactly the same. Does WIndows 7 improve on the XP version or does it have more options or something or is it exactly the same?

darkstate
darkstate

There is another way to restrict programs that MAYBE a bit more suited, even for those users who can and do change the name of their programs to get past your gpedit restriction. Use gpedit as above then goto computer configuration/windows settings/security settings/software restriction policies/additional rules/ then right click in the right hand side panel -new hash rule-browse-find the .exe(program) you want to allow or disallow-In the drop down box of the security level, pick what suits your needs then press ok and you are done. try changing the name of the restricted program and you will see it still stops it from running. This works for viruses/trojans as well that keep popping up, It uses the hash not the name of the program,the program name can change to whatever but the program hash will remain the same. This will also work for those annoying popups some programs use when you do an update,just find the name of the popup program and use the above example to disallow it.

ctran
ctran

It is a simple task and it is very nice. Thank you for your tips.

rlawsonrd
rlawsonrd

Have you tested the applocker policy included in win 7?

Daniel Breslauer
Daniel Breslauer

Pretty easy. Block access to Start Menu items (for example: remove All Programs function, remove run menu/function, disable command prompt, block access to Explorer). Plenty of options in that direction.

Mark W. Kaelin
Mark W. Kaelin

What applications, if any, do you use to enforce user access controls?

KingKin777
KingKin777

I tried this, somehow the "Edit group policy" settings change applied to all the user accounts, even the Administrator account I made the changes from. Now I can't get back into "Edit group policy" from Administrator account, machines says I don't have permissions. I can't even access Recovery partition to format. Thanks for the post!

darkstate
darkstate

I haven't found app locker in enterprise 7, bit locker yes. But truecrypt is the best and easiest and most reliable to this monkey :)

Ron_007
Ron_007

you have the right version of Win7: Ultimate or Corporate (or whatever it's correct name is). Applocker and Bitlocker are limited to only those 2 versions. Presumably to protect the "average" (read "idiot!") user from shooting themselves in the foot, then flooding MS with support calls. I wish Applocker and Bitlocker were available in "lower" business versions of Win so that "power" users could have access to them. PS: Can anyone confirm if in this process there is a way of specifying an explicit path to the executable?

The 'G-Man.'
The 'G-Man.'

the OP to actually research the subject matter instead of just rehashing an old 2003 type method.

juaniotoo
juaniotoo

I haven't gotten around in trying all the features of Windows 7 Pro currently installed on my "D" Drive due to heavy involvement with my graphic programs. Every now and again I get the tired old dialog box telling me I don't have permission to access certain features on my graphic programs and that sucks. Doesn't do it on my C drive which is Windows XP. I wish Microsoft would come out with a simple OS catering to stand alone computers such as mine. I hate all the permissions associated with Windows. But, thanks for your help. Juan

Gis Bun
Gis Bun

I did something like this. Everything was removed from the Start menu. Couldn't access the task manager [after all you can do a few things there] in addition to what you subscribed. You do it on a per user basis. So an admin logs in and sees everything. But the intended user sees nothing. Also don't forget to remove the option where the user can create a shortcut on the desktop.

TobiF
TobiF

1. Don't just enter the filename, but include the full path. This way, the user won't be able to copy some executable file to the desktop, rename it into firefox.exe and run it, since the file would need to be in its correct location. But hey, with the right restrictions set, he won't be able to mess around there! 2. If you really are building a kiosk, then you may consider deleting unneded programs from the hard drive's windows and system folders. You can't run a file that isn't there. (But keep those files you may need to get started with maintenance later on.) 3. Why not mount your system to a live drive. And run it without HDD! Every time you boot, you get a fresh system, guranteed!

erwin.alex
erwin.alex

Hi there! I use file and folder execution permission to restrict applications, any one has used it? I had to do that way because certain applications must be allowed to run with a psaword' so we use runas to run these ones as power user. By the way, I have such kind of users that likes to modify everything, install whatever find in internet and...well, you know. Final note: this way is some risky if you don't take care of what you do, you can end with an unusable windows. So, keep an user that ONLY belongs to administrators group and be sure that group has explicit permission wherever you delete the user group one's.

juaniotoo
juaniotoo

Hi TechRepublic members out there that contributed all the various post towards my query. It has helped and I have in fact tried some out with some good results, others not so good. I need to find out if any member has a dual boot configuration like I do, with Windows XP on the "C" drive and Windows 7 Pro on the "D" Drive. If yes, let me know of any problems you've experienced. I haven't. Bye. Juan

Neon Samurai
Neon Samurai

Truecrypt just released version 7 which does full disk encryption on the lower Business win7 versions even if they have the separate boot partition. You can do your whole drive, your partition or blob files mounted to drive letters. It'd be nice to play with the Win7 native encryption but it's withheld for premium sku numbers and I got a lot of trust in Truecrypt. (Note, Truecrypt 6.3a would only do win7 full disk encryption if Windows was installed without the separate boot partition.)

fsfernandes
fsfernandes

@juaniotoo  I have windows XP on C drive, Windows Vista on D drive and Windows 7 on E drive and Windows 8 on Z drive in multiple boot mode and allow good and fine.


regards

Editor's Picks