Hi, Wes -
Thanks to MVP Kelly Thierot for this one -
==========
Start -->Run -->Regedit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio
n\Policies\Explorer. Value Name: RestrictRun Open your
registry and find the key
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersi
on \Policies\Explorer] Create a new DWORD value and name
it "RestrictRun" set the value to "1" to enable
application restrictions or "0" to allow all applications
to run.
Then create a new sub-key called
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersi
on \Policies\Explorer\RestrictRun] and define the
applications that are allowed. Creating a new string
value for each application, named as consecutive numbers,
and setting the value to the filename to be allowed
(e.g. "regedit.exe"). Restart Windows for the changes to
take effect.
Note: If you are the person who applies Group Policy, do
not apply this policy to yourself. If applied too
broadly, this policy can prevent administrators from
running Group Policy or the registry editors. As a
result, once applied, you cannot change this policy
except by reinstalling Windows.
The application name for Internet Explorer is
iexplore.exe and for Notepad it's notepad.exe - and I
*strongly* suggest trying this on a test account before
inflicting it on all your users. As Kelly mentions if you
restrict all accounts you won't be able to get back into
the registry to put things back the way they were. Leave
at least one administrator-level account unrestricted.
Hope this helps -
