Admin Tips
- Windows Server 2008/2003/2000/XP/NT Administrator Knowledge Base
  - Windows XP
    - Admin Tips
      - Security
        Restrict which programs can be run

Section(s): Security
Published on Jun 28, 2006.
Last Modified on Jun 28, 2006.
Last Modified by Mitch Tulloch.
Rated 3.9 out of 5 based on 16 votes.

How to restrict which programs are allowed to run on a computer

A common question is how can I restrict which programs can be run on Windows? With Group Policy (or Local Group Policy on a standalone machine) you can do this, though it takes a bit of work. Here's how it works:

In a domain, open the GPO linked to the container holding the user accounts you want to restrict (or on a standalone computer use Start --> Run --> type gpedit.msc to open the Local GPO).

Expand User Configuration \ Administrative Templates \ System Open the policy named Run Only Allowed Windows Applications Enable the policy and click Show

Click Add and type the executable name for each program you want to *allow* the user to run

Once the policy is applied, the user will only be able to run the programs you specified and no others. Unless you have allowed them access to the command prompt cmd however, in which case they can run pretty much anything if they can find it.

Cheers, Mitch Tulloch, MVP

About Mitch Tulloch

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions. Mitch has published over two hundred articles on different IT websites and magazines, and he has written or contributed to almost two dozen books and is lead author for the Windows 7 Resource Kit from Microsoft Press. For more information, see www.mtit.com .