DisallowRun - Do not have access



Capp
07-09-2005, 10:51 PM
Hello,
I have searched and searched for this answer with no conclusion. I am
wanting to restrict access to a few certain applications for a couple of
Win2000/XP machines (I don't want to use GPO's either) utilizing the
"DisallowRun" key I have seen mentioned on hundreds of sites.
The key goes into:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
But, that seems to be the only key under HKCU that users do not have access
to.

I can access it with the Admin account, but that only locks out the admin
account. I was told to do this with whatever account(s) I want to deny access
to, but I don't seem to have permissions?

If DisallowRun goes into the key above to stop the current user, why do I
not have access to it? and is there a way to do this? This seems to be a
great tool to keep users from running certain apps, so why does a user
account not have access to this?

I'm a network admin and wanting to deploy a few scripts to a few stations to
stop certain programs from being accessed (games, etc...)

Thank You in advance for the help

Steven L Umbach
07-09-2005, 10:51 PM
Group Policy is something you should consider. The same setting is available
under user configuration/administrative templates/system for disallowed
Windows applications. Gpedit.msc can be used if these are not domain
computers and there are ways to prevent local Group Policy from applying to
local administrators if need be. Windows XP Pro has the Software Restriction
Policies which is much more powerful by using path, hash, or certificate
rules to manage what a user can run on their computer which can prevent the
easy workarounds from the method you want to use such as renaming an
executable. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx

"Capp" <Capp@discussions.microsoft.com> wrote in message
news:C3E1CB29-93F9-4877-817C-E2B6315AD008@microsoft.com...
> Hello,
> I have searched and searched for this answer with no conclusion. I am
> wanting to restrict access to a few certain applications for a couple of
> Win2000/XP machines (I don't want to use GPO's either) utilizing the
> "DisallowRun" key I have seen mentioned on hundreds of sites.
> The key goes into:
> HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
> But, that seems to be the only key under HKCU that users do not have
> access
> to.
>
> I can access it with the Admin account, but that only locks out the admin
> account. I was told to do this with whatever account(s) I want to deny
> access
> to, but I don't seem to have permissions?
>
> If DisallowRun goes into the key above to stop the current user, why do I
> not have access to it? and is there a way to do this? This seems to be a
> great tool to keep users from running certain apps, so why does a user
> account not have access to this?
>
> I'm a network admin and wanting to deploy a few scripts to a few stations
> to
> stop certain programs from being accessed (games, etc...)
>
> Thank You in advance for the help
>
>
>

Capp
07-09-2005, 10:51 PM
Hey Steven,
Using GPO's is fine for some cases, but I have written a program to do
these kind of changes via .exe. It is not malicious, rather, a security app
and I need to find a way to get this to work. I have seen source code for
several viruses in the past that utilize this method, all via code, so I know
there is a way. This program is not always going to be run by me, so I cannot
rely on GPO's.

I need to know if there is a method I do not know of that is similar to
this. I am not going to be using any group policies unless it can be managed
programmatically. That is why I need the help.

Thank You again for your assistance, maybe eventually I'll get this figured
out.

Capp

"Steven L Umbach" wrote:

> Group Policy is something you should consider. The same setting is available
> under user configuration/administrative templates/system for disallowed
> Windows applications. Gpedit.msc can be used if these are not domain
> computers and there are ways to prevent local Group Policy from applying to
> local administrators if need be. Windows XP Pro has the Software Restriction
> Policies which is much more powerful by using path, hash, or certificate
> rules to manage what a user can run on their computer which can prevent the
> easy workarounds from the method you want to use such as renaming an
> executable. --- Steve
>
> http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
>
> "Capp" <Capp@discussions.microsoft.com> wrote in message
> news:C3E1CB29-93F9-4877-817C-E2B6315AD008@microsoft.com...
> > Hello,
> > I have searched and searched for this answer with no conclusion. I am
> > wanting to restrict access to a few certain applications for a couple of
> > Win2000/XP machines (I don't want to use GPO's either) utilizing the
> > "DisallowRun" key I have seen mentioned on hundreds of sites.
> > The key goes into:
> > HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
> > But, that seems to be the only key under HKCU that users do not have
> > access
> > to.
> >
> > I can access it with the Admin account, but that only locks out the admin
> > account. I was told to do this with whatever account(s) I want to deny
> > access
> > to, but I don't seem to have permissions?
> >
> > If DisallowRun goes into the key above to stop the current user, why do I
> > not have access to it? and is there a way to do this? This seems to be a
> > great tool to keep users from running certain apps, so why does a user
> > account not have access to this?
> >
> > I'm a network admin and wanting to deploy a few scripts to a few stations
> > to
> > stop certain programs from being accessed (games, etc...)
> >
> > Thank You in advance for the help
> >
> >
> >
>
>
>


DisallowRun - Do not have access