Prevent Remote Desktop Clients from running Internet Explorer

Posted on 2009-05-12
Last Modified: 2012-05-06
This is a stand alone 2003 Terminal Server. There are no local clients. I want to use Group Policy to prevent Remote Clients from running Internet Explorer. As far as I can tell, the setting I need is in : User Configuration -> Admin Templates -> System -> Dont run specified apps.

My problem is that I cannot find this policy in Default Domain Controller Settings, or in Default Domain Security Settings. Logged in as Administrator, I ran GPEDIT.MSC and set it there, but this only applied to the Adminstrator Account.

How can I set this policy to apply to other users?


Question by:ipendlebury
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 35

Expert Comment

ID: 24363308
As you can see --> Admin Template -->, the policy is within a template (ADM) file. You should have this on your computer, usually localted a C:\windows\inf.

Right click on administrative templates and have a look there, which templates are loaded or not. There you can add additional templates.

Author Comment

ID: 24363640
Thanks for the reply. I need you to be a bit more explanatory please....

>> Right click on administrative templates and have a look there,
>> which templates are loaded or not.

Where should I be doing this? The only place I can find something that says "Administrative Templates" is in GPEDIT.MSC which only applies to the current user.

LVL 35

Expert Comment

ID: 24364398
OK I see...

Have a look here:
Open local security setting
Goto Policies for Software restrictions
--> Additional rules
There you can set file based rules to block applications.

(My system is non english, maybe the pathes differ from my description).

Classic group policies can only applied, it the TS is part of a domain as the logon of users is handled by the domain. If you have only local accounts, you cant assign policies to these local accounts.  

Not the restriction above is machine based...
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 24364444
Sorry, i'm still struggling to understand you.....
Where is this 'Local Security Setting'?
LVL 35

Expert Comment

ID: 24364510
Start - settings  - system setting, there you can find the local security policy...

Or run

Author Comment

ID: 24364696
OK I got a bit further now... But I think your system is totally different from the systems I administer. I never saw a system with 'Settings' in the Start Menu. I couldn't find Local Security Policy anywhere either. But I ran Secol.msc and got myself in there.

OK I added a new software restriction policy. But this prevents even myself from running Internet Explorer. I need to be able to run this occasionally. I was l looking and wondering if I could create a new security level in the next menu, and have that security level applying to all members of the Users Group.

Can I ask also why you got me to look in the Local Security Policy. The same feature is available in the Default Demain Policy which is readily available to me. Would it not be better to use this?

LVL 35

Accepted Solution

Bembi earned 500 total points
ID: 24365241
I use the old menu structure, this is different, yes :-))

> But this prevents even myself...
Yes, as machine based

The same feature is within the group policies, but as policies are stored in the startup folder, they are only used and available if you logon as member of a domain and the TS is a member server of a domain. Otherwise the startup folder is not touched. You said this is a stand alone server.

You may have the Domain GPO admin tools on your machine, but they can only show, what they can find on the machine --> the local policies. Domain policies are only shown if you are part of a domain. Therfore I assume, that changing the settings within GPO console are excacly the same that within the security console. Means if you change the settings with the GPO console, they will also be show by the security console.  

Case is different, if your TS server is part of a domain.
LVL 35

Expert Comment

ID: 24365264
Oh, the local policies are store under
There are also the local INF files.

Author Comment

ID: 24365349
Ok thank you for all that


Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question