How do I allow Windows 7 users to run only specific applications?

Jack Wallen walks you through the process of enabling users to only execute specific applications using the built-in Group Policy Editor of Windows 7.

There are times and instances where you, as the administrator of a network or group of machines, want the users to be able to run only certain applications. Kiosk machines, library machines, educational machines, community machines -- there are plenty of reasons for doing this and a few methods for achieving it. One of those methods is built in to Microsoft Windows 7 (with the exception of Windows 7 Home) with the Group Policy Editor. This tool is powerful and offers numerous features including the ability to limit applications that a user is able to run.

Using this method, a network administrator can limit the users to executing applications based on name. So if you allow the execution of the name Firefox.exe, that means a user can execute an application named Firefox.exe. This will not stop a user from renaming ApplicationX.exe to Firefox.exe and running that. So this method does presume users will either not know instinctively or be willing to figure out how to get around this basic access control.

Prior to undertaking this process, it might be wise to back up the folder C:\WINDOWS\system32 in case this configuration goes south. Should that happen, you can then restore the backup and you will be back to where you started. This backup method isn't foolproof, but it sure beats winding up with a system that cannot start any applications.

So, with that said, this How do I document will walk you through the process of enabling users to execute only specific applications using the built-in Group Policy Editor of Windows 7.

This blog post is also available in PDF format in a TechRepublic download.

Step 1

The first thing you must do is open the Group Policy Editor. You won't find a menu entry for this tool. Instead you start the tool by clicking the Start menu and then entering the command gpedit.msc. When this tool opens, you will find yourself looking at a dual-paned window that looks deceptively simple to use (Figure A).

Figure A

There are quite a few settings that can be tweaked in this tool. I wouldn't advise toying with any of these settings unless you know what you are doing.

Step 2

The next step is to navigate to the correct location of the configuration option we want to change. This is to be found in the following path:

User Configuration | Administrative Templates | System

When you navigate to that path, you will want to click on the System entry to reveal the available settings in the right pane (Figure B).

Figure B

Scroll down in the right pane until you see the entry for Run Only Specified Windows Applications.

Step 3

Double-click on the entry for Run Only Specified Windows Applications to open the preferences for this setting. When this is opened (Figure C), you will need to first make sure Enabled is checked. Once you have done that, the Show button will become available.

Figure C

You can add comments in this window in order to keep track of when this was set up and why. Documentation and tracking is always important for when things are brought up and questioned.

Step 4

The next step is to click the Show button, which will open a small window where you can enter the allowed applications (Figure D). In this window, you will add, one per line, the executable file name (including extension) for each of the applications you want the users to be allowed to execute.

Figure D

Make sure you are thorough in your listing so your users are able to start all necessary applications for work, otherwise you'll be revisiting this window to add more mission-critical applications.

Once you have completed your list of allowed applications, click the OK button and then click OK on the remaining windows to dismiss them. Once these windows are gone, you have completed this task.

After this is set up, when a user attempts to launch an application that is not on the allowed list, they will receive a warning that states "The operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator."

Final thoughts

It's not a perfect system, and on a system with savvy users, it's fairly easy to get around. But for basic purposes, it will stop most of the average users from launching anything not on an allowed list. Also note that this method does not disable any applications that are system processes. So you won't stop everyone using this method, but you will stop plenty of users from launching applications you don't want them to launch.

Stay on top of the latest Microsoft Windows tips and tricks with TechRepublic's Windows Desktop newsletter, delivered every Monday and Thursday. Automatically sign up today!