Restrict who can use MS Office 2007 Applications on Windows Server 2008 R2

I'm looking for a way to restrict who can access Microsoft Office by user.  This server is running Windows Server 2008 R2 and is not in a domain (no Active Directory).  This is a terminal server, so all users will be connected to this server.

I want the following restrictions per user (or group)

Can run all Office 2007 Applications
Can run only Excel
Can run no office 2007 Applications

Any assistance is greatly appreciated.
brianfsu1Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ToxaconCommented:
Add one group for Excel and one group for all Office apps. Use NTFS permissions to allow execute of the Office executables based on group membership.

For example:

Grp_Allow_Excel
Grp_Allow_Office

Remove Users from Excel.exe access list and add Grp_Allow_Excel and Grp_Allow_Office with Read/Execute

Remove Users from Outlook.exe, Winword.exe etc access list and add Grp_Allow_Office with Read/Execute.

If a user-level user is not a member, he/she can't launch any Office program.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
brianfsu1Author Commented:
Thanks for the response.  That's an interesting angle at accomplishing this that I hadn't thought of.  

The only downside (and I should've mentioned this in the original question) is that it would be nice if they didn't even see shortcuts to those applications as well.  
ToxaconCommented:
Maybe you can develop a script that detects the membership (IFMEMBER.EXE) and based on that copies or removes the shortcuts from the user desktop or start menu. Naturally, as the original shortcuts are in All Users profile, you have to remove them.
brianfsu1Author Commented:
Worked great.  Thanks.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.