Dont allow users to run exe's from their home folders

I ma running windows 2003 server with xp clients.

I want to stop my users from running exe's from thier home folder.

Hope someone can help its driving me mad


Phil Millward
ICT Manager
The Byrchall High School
Who is Participating?
No. If you set the group policy for the student accounts, it wont interfear with the normal admin account. You can also set the installer not to install any programs, or block the registery so that they cant make chances to it. those 3 together have a pretty high succes rate of blocking installs. But keep in mind, nothing is unblockable, you can only make it so hard its not worthwhile/hard to break for normal users
I would do this in group policy.  There is an option to only allow then to run certain applications.  
[User Configuration\Administrative Templates\System]
-Run only allowed Windows applications

phillipmillwardAuthor Commented:
i work in a school so would that solution not stop all other department specific software from working???
I've heared of this issue, with people installing things into their home directory, one thing you can do is go into the advanced security permissions and turn off 'Tranvers Folders/Execute File' to stop people downloading exe's and then installing them.

However if they have CD-ROM access etc this will not solve the problem, - it will stop them from starting the application though after installing to their home directory, which would probs put them off in the future even installing rouge software.

Thanks for the points. Even trough, i still have some more advice im gonna write down. The issue you have, is EXACTLY the same as the institute i work at. They also had some problems with students installing illegal software. They had a good program to solve it trough.

At first, they decided to give NOONE except the admins acces to the c or d harddisk. they simply made it invisible in explorer, and disabled write acces. (this can be done trough the admin accounts special tabs. they can specify what users have write/read acces). The disk can be made invisible trough the XP hidden flags. (iff you cant acces them manually, try this    program: To let the users still save their documents and such, each user got 10mb of disk space on the network, which also had the nice effect that they can work on every computer, without having to worry about their memory sticks, or about lost file searching.

The second thing they did, was disabling the download of .exe .zip and .rar (and .7zip and other compressors) trough the browser. Since students only very rarely need .exe or so files, its safe to disable the downloading of it. say for yourself, why would a student need a program?

Third problem was virusses, mallware and such, since some students visited somewhat... less trustable sites. Just install norton corporate edition, and a good antispyware scanner, and most things are solved. As a further measure they ghosted all PCs, and reset them every 2-4 weeks. This WONT whipe out the student files, since they are on the network. it just whipes out the illegal downloads and windows modifications. Of course, the server pc doesnt get such a whipeout.

For the student with not so legal sites, there was a good, trough expensive solution. they simply hires 3 system admins to keep an eye on the server computers all day, + someone to watch the computer rooms. If this would cost to much, simply keep logs of every user, and when it seems to go wrong, just look at the logs to see who caused the problem. last you should give every user a seperate account, so that they can be IDed.

Hope you can do something with this guide, GL,
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.