Typically, let’s say, what’s the easiest way to lock down a shared computer to only allow users to use certain specified programs installed on that computer? The answer is to use the Local Group Policy.
In case you don’t know, Local Group Policy is a very powerful tool that first was introduced with Active Directory back when Windows 2000 was released. It provides you much more options to control your computer without messing around with the Registry keys. In some cases, you still need modify Registry keys to get things to work. But in a lot other cases, using Local Group Policy simply gives you more options and works a lot better.
To whitelist certain programs in Windows 7, first to launch Local Group Policy Editor by clicking on Start and typing in gpedit.msc to the search.
And then, navigate to User Configuration \ Administrative Templates \ System in the left panel, and double click on Run Only specified Windows applications.
In the pop up window, first set it to Enabled, then under Options section click on Show button.
In the Show Contents dialog box that pops up after clicking on Show button, in the Value column, type the application executable name, e.g. firefox.exe, swriter.exe, calc.exe.
The change takes effect immediate right after you click OK or Apply. From this point on, if a user tries to access an application that is not on the specified list they will get the following warning message.
Table of Contents
Situations where this setting doesn’t apply:
- This setting only prevents users from accessing applications that are started by Windows Explorer process.
- This setting does not prevent users from starting applications in the command window.
- Users with admin rights still seem to be able to access these applications. The change also applies to the users who have the admin rights.
A few other notes:
- This is not a new feature introduced in Windows 7. You can do the same in XP too. It’s just that the user interface in Windows 7 is better than the one in XP.
- You can also blacklist certain programs by using Don’t run specified Windows applications from the same System Administrative Template in Local Group Policy.
The setting applies to users, including all users that are able to log in. So in order to avoid getting yourself being locked, make sure to include either mmc.exe (be able to re-open GPEdit.msc) or regedit.exe to the allow list.
Credit goes to the How-To Geek for sharing this useful tip.