How To Use Local Group Policy Whitelist Certain Programs in Windows 7

6

Typically, let’s say, what’s the easiest way to lock down a shared computer to only allow users to use certain specified programs installed on that computer? The answer is to use the Local Group Policy.

In case you don’t know, Local Group Policy is a very powerful tool that first was introduced with Active Directory back when Windows 2000 was released. It provides you much more options to control your computer without messing around with the Registry keys. In some cases, you still need modify Registry keys to get things to work. But in a lot other cases, using Local Group Policy simply gives you more options and works a lot better.

To whitelist certain programs in Windows 7, first to launch Local Group Policy Editor by clicking on Start and typing in gpedit.msc to the search.

image

And then, navigate to User Configuration \ Administrative Templates \ System in the left panel, and double click on Run Only specified Windows applications.

image

In the pop up window, first set it to Enabled, then under Options section click on Show button.

image

In the Show Contents dialog box that pops up after clicking on Show button, in the Value column, type the application executable name, e.g. firefox.exe, swriter.exe, calc.exe.

image

The change takes effect immediate right after you click OK or Apply. From this point on, if a user tries to access an application that is not on the specified list they will get the following warning message.

image

Situations where this setting doesn’t apply:

  • This setting only prevents users from accessing applications that are started by Windows Explorer process.
  • This setting does not prevent users from starting applications in the command window.
  • Users with admin rights still seem to be able to access these applications. The change also applies to the users who have the admin rights.

A few other notes:

  • This is not a new feature introduced in Windows 7. You can do the same in XP too. It’s just that the user interface in Windows 7 is better than the one in XP.
  • You can also blacklist certain programs by using Don’t run specified Windows applications from the same System Administrative Template in Local Group Policy.

Caution:

The setting applies to users, including all users that are able to log in. So in order to avoid getting yourself being locked, make sure to include either mmc.exe (be able to re-open GPEdit.msc) or regedit.exe to the allow list.

Credit goes to the How-To Geek for sharing this useful tip.

SHARE

6 COMMENTS

  1. What are the programs required for printing. When you use this function you can’t access the printer and I can’t seem to find a list of needed ones. Also remember if you use this to include mmc and gpedit in the list or you will not be able to access them (unless you boot in safe mode)

  2. If you decide to disable whitelist and then re-enable it, it wipes the list clean. Does anyone know of a way to keep the list even if you disable/enable the policy?

LEAVE A REPLY

Please enter your comment!
Please enter your name here