How can I disable the top portion of the current Open and Save Dialog boxes?

It is nit possible to disable navigation functionality.
You can only control access to other folders using permissions.
Why doesn't that work for you?

I actually have disabled that navigation functionality by reverting back to an NT-style dialog box.  I've also restricted access to all folders that I don't want my users to access.  My problem is just the opposite, I need to be able to "enable" access to OneDrive (on my client's computers) so they can save reports from my application as either PDFs or Excel spreadsheets directly to their OneDrive.  Problem is that the old NT-style dialog boxes don't support OneDrive and the newer ones do, but, again, the newer ones have this navigation functionality that I can't allow for security reasons!

If OneDrive folder can be accessed via drive letter, this shortens the way there....

While keeping the old style dialog, add the SUBST command to make a drive letter of the OneDrive path. This won't show the OneDrive icon. Instead, the user enters the drive letter to open the OneDrive folder.

Subst f: c:\path\to\OneDrive\folder

Select allOpen in new window

You could also put a shortcut to the OneDrive folder in that folder they are able to view. That should get them there.
Since OneDrive is a per user folder the shortcut path should be edited to c:\users\%username%\...path to onedrive folder..

Test this and let me know if this works for you.

You are right (I assume you know something about OneDrive...) in that the OneDrive "folder" on my client's computers translates to C:\Users\%username%\OneDrive - <Corporation Name>\....but you have to take into account that the software application is running on my server on my network and, without redirection, I have to access to the client's OneDrive "folder".  Using the NT-style dialog box, they see:
Most of the listed items have been disabled and the client sees the following message when attempting to "save" a report to these locations:
So, the point is that the few locations (on my server) that they can "save" a report to are under the Libraries tied to their user profile on my server (any location under the actual user's name is restricted), they have no access to these files and they don't harm my server since the report originated from my server and is being saved back to my server.  If, by some remote chance, these reports got infected by the client computer, my Norton Endpoint Security would detect it and quarantine it (unless it just happened to be a brand new virus that they had no knowledge of...pretty unlikely, but, I'll admit, possible just the same).

Anyway, back to the point, my client is extremely security conscious and I don't have ANY leeway in terms of "work-around" solutions.  So, back to my original question, does anyone know any way to disable the navigation capabilities built into the latest version of Microsoft's Open and Save As dialog boxes?

> ...serious security risk to my RDP applications and has forced me to revert back to an extremely old NT-style dialog box that, while it resolves the security issue,... disable the navigation capabilities in the latest version of Windows Open File and Save As File dialog boxes.

FYI, in the old-style dialog, the user can still navigate by typing paths in the "File name" field.

Point taken!  The only difference I see is that in the newer version of the dialog box, they can actually execute command files, applications, etc. Whereas in the old style all they can do is copy over a file that could very possibly be crucial to the server's operation, but they can't execute anything.  Still, it's just one more thing I have to contend with and I will look into this further.  Thanks for the info....

> ... in the newer version of the dialog box, they can actually execute command files, applications, etc.

This can be prevented by relevant gpos, Software Restriction Policies, AppLocker...

> ... in the old style all they can do is copy over a file that could very possibly be crucial to the server's operation, but they can't execute anything

New or Old dialog doesn't matter. Both display and run in the user's context and rights. This being true, they can browse to any folder, Shift-Right click folder, and pick Open Command Prompt. This problem, again prevented Via gpos

OK, so if you know which GPOs to set, please let me know....that's what I was asking for in the first place!

See the Certified Solutions here https://www.experts-exchange.com/questions/29127200/Best-way-of-preventing-non-administrators-from-launching-the-command-prompt-or-PowerShell.html?headerLink=workspace_participated_questions

I'm trying to implement my restrictions using AppLocker and it's not working the way I would think that it would.  From what I've read, using AppLocker DENYS all applications by default and, supposedly, the best policy is to just ALLOW the specific applications you need your users to have access to.  I've done that (in a test environment of course) and, rather than allowing my specific applications from running, they're all being "blocked by GP".  Since this is all new to me, I'm guessing that I'm doing something wrong, but it's not obvious to me what I'm doing wrong.  Also, the MS articles are so general in nature and they keep sending me from one to another to another until I'm back to the one I started with!?  Can you help me out here with some specific tips and/or suggestions as to how to best implement these restrictions?

I spent all day today setting different software restrictions....didn't work....shifting over to AppLocker....didn't work....and, worst of all, by the time I had done all that, I couldn't even run the applications that need to be run.  I realize all this stuff is new to me, but I've been dealing with tightening up security for a while now and this just shouldn't be this difficult and shouldn't end up doing the opposite of what I need to accomplish.  In the end, I just had to reimage my server back to last night's "bare metal" backup, get my applications running again and, I guess, start again tomorrow, but I'm totally lost with these software restrictions and AppLocker.  They both appear to be reasonably straightforward, but I can't get either of them to work.  The only thing I've accomplished at this point is to disable the command prompt with the GPO that was mentioned towards the end of one of those links you sent me, using information from the last EE contributor who pointed me in the right direction to disable the command prompt through a regular GPO.

Are you applying the GPOs to Windows 10 endpoints or to an RDS Server, if so which version?

I'm applying GPOs to an RDS Server running Windows Server 2008 R2.

Have you tried the options mentioned above?
1. Create a shortcut to the OneDrive folder.
2. Map a drive to the OneDrive folder.

What is the reason the above won't work for you?

I'm running a software application on a Windows 2008 R2 Server, that approximately 665 Windows 10 clients connect to remotely via RDS.  If you can explain to me exactly how I can go about creating a shortcut to 665 computers individual OneDrive folders, then somehow map a drive to it, please explain it to me.  I don't see these OneDrive folders on my server, so I'm at a complete loss as to how to accomplish what you're suggesting...

Ok, I just got that these are local folders and not residing on the RDS itself, apologies for the misunderstanding.
I was under the impression that OneDrive was installed on the RDS Server and users were logging in with their linked account.

Would it be possible to do that? Get OneDrive installed on the RDS Server so that this would generate on the Server?
That would make this easier :)

Are these 665 client devices in the same domain and can be managed by GPO as well, or are these external devices?

First, my client is extremely security conscious (as I may have pointed out earlier) and is an extremely large corporation.  As such, I have no say over anything when it comes to how they set up their network and/or how they image all of their employees computers.  So, the short answer is NO, I would never be able to set up OneDrive on my server for my clients use, period, end of story (as they say...).  I need to be able to have their individual OneDrive folders "redirected" back to them thru my RDS application.

Regarding your last question, all the clients are in the same domain and can be managed by GPO, which is what I'm currently doing to provide as much security as possible.  AppLocker does not appear to be working out well for me, so I'm basically giving up on that solution...may look into some third-party solutions.  Another thing I should mention is that my clients are "dealing" with the fact that they can't access their OneDrive locations, the driving force behind all of this is ME!  I would like to be able to provide that capability, despite the fact that they are not (at least not yet) asking for it.

Would you be willing to enable Drive redirection?
This will basically allow for the PCs C drive to appear in the RDS for the users to save in.
That said it will also allow them to copy paste. Maybe something you can test?

The one point I've been trying to make "crystal clear" here is that the corporation that's using my software is "over-the-top" security conscious (after having been hit, themselves, with an extremely costly cyber-attack, read: multi-million dollar restoration that's been going on for almost 2 years now...).  Their employee's new computers don't have a "C:" drive or any other local drive.  Their OneDrive is, in actuality, their C: drive and most of the data is stored and maintained "in the clouds" (boy, do I hate that marketing terminology...).  Using GPOs, I've been able to "hide" all of my local drives on my server, so that all they see are either locations on my server that I've restricted access to (Documents, Music, etc.) and any of their own network drives that they may have access to.  Truth is, most of my clients have a network drive that's available to them (at least certain folders are still available to them), but it's literally SO LARGE that it can take up to 5 minutes to load up all the folders, etc. in my Save As dialog box.  This does work and they are using it!  My goal here is to make their lives easier by figuring out a method whereby I could display their OneDrive as a "redirect location" without opening myself up with more security holes on my end.  Hence, the use of the NT-style Save As dialog rather than the newer style dialog box that allows users to type in any command they want in the top of the Save As dialog (the initial premise of this question!).

If I could find a way to either disable that navigation bar at the top of the Save As screen or limit the applications they can run thru that navigation bar, then I could revert back to the newer style Save As dialog.  I've managed to disable the "command prompt" thru GPOs, but I haven't had much luck disabling PowerShell, RegEdit, etc., and AppLocker is NOT the solution, and I've already wasted enough of my time on trying to make that work for me.

I'm sorry but this is getting confusing so I will try to make this a bit more clear.
There are 3 ways to access OneDrive in an RDS environment.
1. You allow for Drive redirection and enable the user to access their local drive where OneDrive resides. The "disadvantage" of this for your setup is that the user will be able to copy from the RDS Server to their local drive. Not sure if that is a problem and what data they are accessing on there.
2. Install the OneDrive app and allow them to Sync on the RDS. As per your comments I understand that this will not be accepted by the client. Also with 665 users a storage issue might arise by doing this, but of course OneDrive now has the Files On Demand feature that might mitigate the storage issue.
3. They can access OneDrive through the Web Browser. It now supports drag and drop which makes things easier for the users.

These are the ways that OneDrive can be accessed from an RDS environment. You can pick and choose the one that fits better with your scenario.

I hope this makes things a bit more clear.

I guess this is confusing for both of us.  What I would like to do (in a perfect world with no cyber-attackers....) is exactly what you described in option #1.  That was end goal from the beginning.  Problem 1 is that the old NT-style Save As dialog does NOT support that.  Problem 2 is that the newer style Save As dialogs "should" support that (I only say should because I haven't been able to test that and won't be able to for another 2 weeks....logistics, I need to be in New Jersey to correct some things on my production server before I can test and I can only test from the New Jersey server). Options 2 and 3 are not possible in my situation, option 2 for the exact reason you stated and option 3 since they have no access to a web browser in my environment....strictly RemoteApps, I don't provide the web interface for numerous reasons.  Since I allow for redirects in my RDS RemoteApps, Option 1 should work provided I can get myself to a point where using the newer style dialog boxes does NOT present a security risk to my own system.

What are you worried they will be able to run?

Anything that could "sabotage" my server or corrupt the data stored there.  For example, PowerShell, RegEdit, SQL Server Management Studio, I could go on, but it seems like a never-ending list.  Now that it seems apparent that I have no way to disable that navigation bar, I would prefer a whitelist approach, where I could deny access to everything except my software applications. That would do it for me!  Even without any administrative rights, there are a lot of processes a savvy user could run...

I have some good restrictions policies.
I will send them to you tomorrow.

That's great!  I really appreciate it and the timing works well also, since I'm a little burned out with all this stuff right now!

Hi,
As promised you can get the Backup of my GPO here. (Note that this link will expire by the end of the week)

Note that i made some changes to this as it is linked on a live environment.
Also note that this GPO not only restricts Command Prompt but also restricts running scripts like .bat or .cmd.

Make sure you review the settings in there and test any GPO that you believe will suit you.

Regarding restricting software or creating a whitelist you can utilize the below GPO:
User Configuration/Policies/Administrative Templates/System/ Run only specified Windows applications
Although I have never used this as I would guess it would give more issues than anything else and prefer the method the other way around as you will see in the settings of the shared GPO.

I cannot stress enough that you need to thoroughly test!!!

I hope this will assist you and let me know if you need any clarification.

You have to keep in mind that I'm essentially a software programmer who has taken on the task of hosting my software application (mostly at the request of my client users who actually use my software and wanted more flexibility with regards to updates).  Now I'm tasked with the responsibility of "cobbling together" a secure environment that works using RDS.  Just getting the RDS environment working was a job in itself, now I'm dealing with firewall rules, group policy objects, and a number of other things that I really have no experience with.  So, that said, I downloaded the following from the link you provided:
I really don't know where to start or what these different files and file types are all about.  So, I'm looking for your assistance here.  I have a domain group policy that applies to my client users only and every entry I've made there has been done manually.  Not knowing what these files are or what they could possibly do to my settings, makes me uneasy to say the least.  I am working on a TEST server, so none of this is going to hit my production system until I have tested it out (I agree with you completely on that point!).  So, as you said in your last statement, I'm letting you know that I need a lot of clarification.  Frankly, I'm clueless when it comes to making changes like this thru files that, I'm assuming, automate the process.

I guess I need a little more clarification.  From the list of files that I downloaded, which file should I be using?  I followed your steps, created the TestGPO, got as far as the "Import Settings..." step, but every folder I select comes back saying "No backup found".  Apparently, I don't have the correct file downloaded and extracted on my server, so if you could either tell me which file to use (that I already have) or make the download process simpler by just providing the one ZIP file -OR- just tell me exactly what I should have downloaded from your original link (there were a number of files and/or "folders" there in your link, so I just downloaded everything I saw!?)....I just need the correct starting point and I'll be able to follow your step-by-step instructions....Thanks

Actually, forget my last comment.  I went back and downloaded from your link again, got the right file this time, and imported the settings into the Test GPO on my test server.  Obviously, it's going to take some time for me to go thru it, so I won't be responding back or closing this question for a while.  I'm sure you understand.  Thanks, again!

OK, I have a question for you.  I don't understand what you're attempting to accomplish with your Software Restriction policies.  Your base enforcement level is Unrestricted, then you add 5 Additional Items but enter them all as Unrestricted as well.  What's the purpose of this?  Shouldn't they all fall under the Basic Enforcement level of Unrestricted?  It just seems redundant to me, unless I'm not understanding how software restrictions work!?

Sure I understand you will need some time to get the grasp of everything but I thing I already provided more than enough information for you to get to where you need. If you don't have the knowledge with this I would suggest you get some expert assistance as we won't be able to get everything done from here this way.

I am not using Software restrictions really. Unrestricted is the default option.
I only added the additional items to ensure they will work.

You can play around with it if you want but I would suggest you use the method I explained in my previous to that comment:

Regarding restricting software or creating a whitelist you can utilize the below GPO:
User Configuration/Policies/Administrative Templates/System/ Run only specified Windows applications
Although I have never used this as I would guess it would give more issues than anything else and prefer the method the other way around as you will see in the settings of the shared GPO.

I hope you understand that it is impossible to teach you even the basics on GPOs from here and I hope you don;t have that expectation.
Group Policy is a multiple chapter course in Microssoft's Courseware not to mention the amount of time you need to work with it to really grasp its ways.

The reason I joined this group (EE) was to get assistance in areas that I either don't have any or have limited expertise in.  That's why I keep paying for this membership each year.  Point is, I don't want to become an expert in GPO...I don't have the time or the desire.  I have a very complex software application that I've developed over the course of 20+ years and that's where I want and need to spend my time and effort.  In this case, I've already stated that I have a simple "bottom-line" goal.  That goal is provide my client users access to MY software applications and (again, in a perfect world) nothing else.  Your suggestion of using "Run only specified Windows applications" sounds perfect....I've already tried it (before I even started this question) and was not very successful.  My applications are "home-grown", not digitally signed, and not Windows applications in the typical sense that they're not Microsoft programs (like Word, Excel, etc.) and, while I would like to use this option, I'm not sure it will treat my "specified applications" as "Windows applications".  I appreciate all the help you've already provided and if you just don't want to go any further, fine.  At the risk of repeating myself, I don't have any other avenue for assistance other than reading stuff on the Internet (totally frustrating...) and using my membership in EE.

I understand your point Jim but I hope you can understand the complexity of this especially since you can see how delicate and complex this is. You can see that this is so specific by noticing that not many experts have even touched this subject but I am here offering you more and more help.
GPO settings take time to configure and a lot more time to test before you actually get to where you want plus all these depend on your individual setup. I have spent more than a week studying and testing the GPO settings I have sent you for my uses and I don't expect these to be a packaged solution for you but a good reference point. I hope you can appreciate that.

We need to realize that for some things we need to get expert help and not everything can be as simple as a straight forward step by step process. I, for example, wouldn't expect you to teach me how to create a software by a few posts in a web forum.

I hope we can both be respectful and understanding here.
Plus I need to clarify that I am not getting paid by EE or anyone else for offering my knowledge here.
I am here to assist where I can as well as get assistance myself.

I think I've got the GPO set up to the point where it's as close to my goal as practically possible.  A couple things I've discovered while adjusting these settings (based on your Test GPO...).  I set the control prompt setting the same as yours, disallow and disallow scripts.  Problem for me was I NEED to allow the scripts to run in order for my RDS application to actually start up, so I changed this one back to the way I had it originally, disallow running the command prompt, but allow scripts to run in the command prompt.

The other thing I've learned is that the "Run only specified Windows programs" did NOT work for me at all...problem was that I couldn't run my own applications.  However, the "Don't run specified Windows programs" IS WORKING for me.  I've got most of the things I don't want my clients to run listed and all of them are being restricted.  Putting that together with the lack of administrative rights that all my clients have should be enough and I can always add to this list in the future.

I'm sorry if you took my previous comment a little out of context, but I really appreciate all the time and effort that you devoted to my issues and all I really was trying to say is that you had already done enough and that I had no problem (from my end) if you just dropped out of the conversation....like I said, you'd given me enough to work with already!  Thanks again for all your help!!!

I'm glad you got this where you wanted Jim, that is awesome!
I hope you do good business! :)