See
www.dougknox.com, Win XP Tips, Advanced Registry Editing for a method of
modifying a user's portion of the Registry without actually having to log on
to that user's desktop.
You need to look in that user's portion of the Registry in
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Right click in the right pane, select New, DWord value and name it
RestrictRun Double click the value you just created and set it to 1.
Next, right click on the Explorer subkey, select New, Key and name it
RestrictRun. Highlight the key you just created and right click in the
right pane. Select New, DWord value and name it 1. Double click this new
value and enter in the executable name (i.e. NOTEPAD.EXE) that you want to
allow the user to run. Unload the user's hive (if you used the technique
from my web site). Now, if you log on to that user's account, they
shouldn't be able to run any application but that one.
Note: This does not stop them from right clicking things like the Desktop,
My Computer and etc and changing settings. It only prevents them from
running applications from the Start Menu or the Run dialog. It also will
not prevent them from running programs from the Command Prompt. For
additional security, see
www.dougknox.com, Win XP Utilities, Windows XP
Security Console. Version 2 will be released soon, and will include the
features needed to implement the process described above, in the licensed
version.
