Restrict Software

  • Thread starter Thread starter Justin
  • Start date Start date
J

Justin

I am wanting to make it where only one program can run on
a windows xp home edition.

I am looking for help inhow to do this, I want them to
have access only to Autocad the program, and its files.
That is it.
can I get some help on this matter please.

This includes I do not want Internet explorer used
anything!
Thank you!
-Justin
 
either use software policies
start -> run (type)secpol.msc[enter] -> \software policies\

or creative use of ntfs permissions and the "traverse
folder/execute file" permission. - note that this
permission probably only applies to execute file since
default security settings allow "bypass traverse checking"
for all users - see secpol.msc -> local policies\user
right assignment\

or delete all unneeded exe files - this is alittle
extreme, but doable, however only to be recommended on a
test machine first.
 
apologies for the lame post - it has been a while since i
last used xphome.

the new method of software policies is not available with
xphome, only 2k and xppro. the older poledit style
software policy can be used in xphome. this is not as
secure as the newer software policy since it relies on the
file name rather than the md5 signature of the file. in
order to implyment, first create an administrative
account. from there do start -> run -> regedit -> navto:
hkey_local_machine -> registry -> load hive... -> browse
to the restrict users profile eg c:\documents and
settings\foobar\ -> select and open the ntuser.dat file
within -> enter a choice key name eg foobar -> ok ->
navto:
hkey_local_machine\foobar\software\microsoft\windows\curren
tversion\policies\explorer\ -> right-click in the right
pane -> new -> dword value -> name this new value:
RestrictRun -> double-click this value and change the data
to 1 -> ok -> right-click the explorer key in the left
pane -> new -> key -> name this key: RestrictRun -> navto:
this new restrictrun key -> right-click in the right pane -
new -> string value -> name this new value: 1 -> double-
Click to expand...
click this value and change the data to a filename of an
allowed exe eg notepad.exe -> ok. repeat these last few
steps adding string values to the restrict run key of all
the exes that you want to be allowed to run by this user.
increment the name of each value by 1 so each value is
different. when you have finished navto:
hkey_local_machine\foobar\ -> file -> unload hive... ->
yes - note that this step is very important, if you forget
to unload the hive the user will not be able to logon
under that registry database.

creative use of ntfs permissions - first check that you
are using ntfs for all partitions, within windows explorer
right-click each partition -> properties -> check file
system: ntfs. convert as needed if fat/fat32. eg start ->
run -> cmd -> c:\>convert c: /fs:ntfs [enter] possible
caution if you are dualbooting with a 9x system. xp home
does not show the security tab for ntfs formatted
partitions in normal mode. to do so you need to reboot
into safe mode. this is a time waster and i advise that
you install this program to enable access in normal mode:
FaJo XP FSE a free download ->
http://www.fajo.de/de/sware/xpfse/index.html no reboot
required. then do start search -> for files and folders ->
*.exe;*.com;*.scr note that there are many other file
formats that require the access: execute permission, but
these are the main ones -> do ctl+a to select all of the
search finds -> right-click -> properties -> security ->
yes -> advanced -> uncheck inhert from parent the
permissions entries that apply to child objects. include
these with entries explicity defined here -> remove ->
add -> advanced -> find now -> select administrators ->
ok -> ok -> check the full control box on the allow side,
all boxes on the allow side should check -> ok -> add ->
advanced -> find now -> select either the specific user or
(custom)group that is to be restricted -> ok -> ok ->
check the full control box on the allow side, all boxes on
the allow side should check -> uncheck the traverse
folder / execute file box on the allow side, the full
control box should uncheck, but the rest should remain ->
ok -> ok -> ok. now select the exes that you do want to be
used and update the permissions so the the setting reads
allow for traverse folder / execute file. probably a good
idea to allow c:\windows\explorer.exe and
c:\windows\system32\userinit.exe - verify that this
permissions are effective in the restrictive account. you
can also *probably* setup auditing for fail attempts, but
emailme if you do. in order to get a good idea of which
exes need to be allowed logon as the user and run taskmgr
ctrl+alt+del or ctrl+shift+esc -> processes -> click
username to sort by account -> make a note of the exes
under the user account after running allowed progams.


the deleting exes idea is alittle extreme, like i said and
you will need to disable windows file protection to do
this. probably not a ideal solution - ignore.

any questions, just post here or email direct.

-----Original Message-----
either use software policies
start -> run (type)secpol.msc[enter] -> \software policies\

or creative use of ntfs permissions and the "traverse
folder/execute file" permission. - note that this
permission probably only applies to execute file since
default security settings allow "bypass traverse checking"
for all users - see secpol.msc -> local policies\user
right assignment\

or delete all unneeded exe files - this is alittle
extreme, but doable, however only to be recommended on a
test machine first.

-----Original Message-----
I am wanting to make it where only one program can run on
a windows xp home edition.

I am looking for help inhow to do this, I want them to
have access only to Autocad the program, and its files.
That is it.
can I get some help on this matter please.

This includes I do not want Internet explorer used
anything!
Thank you!
-Justin
.
Click to expand...
.
Click to expand...
 
Back
Top