Poledit work-around for MS-DOS limitation

At our school, I have installed system policies via POLEDIT and have
included a restriction on running MSDOS programs for all students. This is
one bit of POLEDIT which actually works!

However I have received some subject resource CDs which run from MSDOS
applications so I need to circumvent the MSDOS limitation for these
applications only.

Every time a student runs the application they, of course, get rejected
because "the system administrator has restricted access to this
application". I'd like to get around this without removing the restriction
on running other MSDOS programs.

I did come across a batch file which someone had written to do this. It
goes something like this:


However, I can't get it to work. Can someone suggest what else I might need
to set - program properties etc. Is the above information incorrect
altogether? Any advice would be appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You might wanna look into a program like this

dwyerpAuthor Commented:
I am not interested in looking at yet another security package. My question related specifically to Poledit.

I do not want to throw yet another security package at the system as it might resolve one problem but open up a pile of others. I am the sole administrator in this school of 1100 students and I don't have the time to evaluate and implement a new opackage every time I come across a problem with the existing one.
Then you are out of luck, there is NO policy option to discriminate between different non-windows applications.. So, you manage over 1100 students.. I manage over 1300 workstations with approx 8000 users... and Winshield is a great tool for the "non essential stations"
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

dwyerpAuthor Commented:
This is not an answer. So far "experts exchange" has scored 0. I want my hundred points back!
Well, then just delete the question and refund yourself the points, as easy as that. Ever appeard to you that some problems cannot be solved for "out of the box" programs, that sometimes you _must_ use 3rd party software?
Sorry, the above was meant as a comment... so sorry.
You should just be able to make a list of program file names that can be run, and take off the restriction to MSDOS based programs.  This will then allow only the programs you specify.  Make sure however, that you don't restrict at least one login, such as Admin, because if you do, you won't be able to use Poledit or Regedit, and other system utilities.
Oh, buy the way, if my answer is correct, then they should give me the points because the other guy that locked the question didn't mean too.
the drawback is: The user can then make a bat or exe file with the same name as an allowed program, and happily run it.
Actually, I am pretty sure that they can't run anything in the batch file that isn't an allowed application.
Nooo, but if you allow the use of for insyance "abc.bat" a user can create a "abc,bat" anywhere on the system and run that.

If you allow the use of "xyz.exe" a user can either compile an own program named "xyz.exe" or use "bat2exe" to turn a batfile into an .exe file and execute it. Beleive me, this works.

There is NO way to make the built in restrictions use a absolute path to an allowed program, you can ONLY tell it what program names you can/can not run.
Where would some kid in a school get bat2exe though?  There isn't very many kids that can even make batch files rather than know how to make them into an exe!  

Oh and another thing.  Seeing that not very many kids are computer smart, if you don't allow any batch files to run, then they can't run such files.

Also, is there anyway they can find out what files they are allowed to run other than trial and error (assuming they don't have access to changing the StartMenu)

The below text is a test.  I just want to see what HTML code will do on this page.

<A HREF="mailto:trent_adams@usa.net">test</a>
Trial and error? ANY user can see what programs are allowed to run, and you would be AMAZED how smart kids are :)

Now, if your assumption is correct that kids arent computer smart, why impose policies at all?
and furthermore.. the fact that the school has more then 1100 students leaads me to beleive that the school should hold a variety of ages...  And teenagers are definitely computersmart ;)

I assume that the reason you included the batch file is because someone said they were able to restrict DOS apps with system policy restrictions, but allow selected DOS apps to run using a similar batch file.

I do use System Policies at my office, but have not used this restriction.  However, the implication of the batch file is that Win95 is resricting the loading of COMMAND.COM - not really the DOS app itself.  The reason I think this is because there's a separate entry for restricting the DOS prompt.

IF this is the case, what you would need to do is copy C:\COMMAND.COM to C:\BOGUS.COM - then the batch file would use BOGUS.COM as the shell for the DOS app.

Your only other alternative is the (EXTREEMLY UGLY) option of generating a list of allowable applications under the - User/System/Restrictions/Only Run Allowed Windowed Applications.

Under this option, however, you must list EVERY executable allowed!

and even if you DO list every allowed application, you an still circumvent it by creating your own executionable program.
dwyerpAuthor Commented:
I have resolved the problem myself. Please delete this message and stop sending me email.
Howabout offering us an explanation how you did if? (if nothing else, it will give me some info as to how to cirumvent it ;) )
How about a Not poledit possible answer: Restrictions:
--------------------------BE SURE TO SEE #9
If you want to make restrictions to what users can do without having to running Poledit, changes can
be made directly to the Registry.
This will allow you to make a REG file with the spefice restrictions you want and importing them all
at once.
1. Start Regedit
2. Go to HKEY_Current_User / Software / Microsoft /Windows/CurrentVersion /Policies
3. There should already be at least a Explorer.
4. Additional keys that can be created under Policies are System, Network and WinOldApp
5. You can then add DWORD values set to 1 in the appropriate keys 6. In the Explorer key you
can add:
o NoDeletePrinter - Disables Deletion of Printers
o NoAddPrinter - Disables Additon of Printers
o NoRun - Disables Run Command
o NoSetFolders - Removes Folders from Settings on Start Menu
o NoSetTaskbar - Removes Taskbar from Settings on Start Menu
o NoFind - Removes the Find Command
o NoDrives - Hides Drives in My Computers
o NoNetHood - Hides the Network Neighborhood
o NoDesktop - Hides all items on the Desktop
o NoClose - Disables Shutdown
o NoSaveSettings - Don't save settings on exit
o DisableRegistryTools - Disable Registry Editing Tools -
NOTE: BeCareful of this one
7. In the System key you can enter:
o NoDispCPL - Disable Display Control Panel
o NoDispBackgroundPage - Hide Background Page
o NoDispScrSavPage - Hide Screen Saver Page
o NoDispAppearancePage - Hide Appearance Page
o NoDispSettingsPage - Hide Settings Page
o NoSecCPL - Disable Password Control Panel
o NoPwdPage - Hide Password Change Page
o NoAdminPage - Hide Remote Administration Page
o NoProfilePage - Hide User Profiles Page
o NoDevMgrPage - Hide Device Manager Page
o NoConfigPage - Hide Hardware Profiles Page
o NoFileSysPage - Hide File System Button
o NoVirtMemPage - Hide Virtual Memory Button
8. In the Network key you can enter:
o NoNetSetupSecurityPage - H
o NoNetSetup - Disable the Network Control Panel
o NoNetSetupIDPage - Hide Identification Page
o NoNetSetupSecurityPage - Hide Access Control Page
o NoFileSharingControl - Disable File Sharing Controls
o NoPrintSharing - Disable Print Sharing Controls
9. In the WinOldApp key you can enter:
o Disabled - Disable MS-DOS Prompt
o NoRealMode - Disables Single-Mode MS-DOS

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dwyerpAuthor Commented:
Does not exactly answer my question but gives a good background in the usage of existing tools.

Maybe some of the other "try-hards" who attempted this one and suggested further third-party packages should learn more about the system they are working with.

This problem can be closed
This is my last comment, since it costs me 10 points everytime i look at this question: The abovementioned restrictions can _easily_ be circumvented... they work if you want a "semi safe" system, but it is BY FAR _not_ fool proof!

For instance.. Look up a small util called "lophtrak" (or similar) it will bypass ANY restrictions on ANY W95 machine the user can physically log on to... A very nasty exploit for a huge bug in W95.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.