Oct 6, 2016

How to Allow or Deny Certain Applications for Users in Windows

Allow or Deny Certain Applications in Windows

If you’d like to limit what apps a user can run on a PC, Windows gives you two options. You can block the apps you don’t want a user to run, or you can restrict them to running only specific apps. Here’s how to do it.






Be absolutely sure that you are making changes to a user account you actually want to restrict, and that you always have an unrestricted administrative account available to undo those changes. This is especially true if you are restricting users to a specific set of apps, as those users will lose access even to tools like Registry Editor and Local Group Policy Editor. 

If you do accidentally apply restrictions to your administrative account, the only way we’ve found to reverse the changes is to run System Restore by going to Settings > Update & Security > Recovery and clicking the “Restart now” button under Advanced Startup. From there, you can find the setting for running System Restore after a restart, since you won’t be able to run System Restore the normal way.

 

Home Users: Block or Restrict Apps by Editing the Registry

To block or restrict apps in the Home edition of Windows, you’ll need to dive into the Windows Registry to make some edits. The trick here is that you’ll want to log on as the user you want to make changes for, and then edit the Registry while logged onto their account. If you have multiple users for which you want to changes for, you’ll have to repeat the process for each user.

Standard warning: Registry Editor is a powerful tool and misusing it can render your system unstable or even inoperable. This is a pretty simple hack and as long as you stick to the instructions, you shouldn’t have any problems.

 

Block Certain Apps Through the Registry

First, you’ll need to log on to Windows using the user account for which you want to block apps. Open the Registry Editor by hitting Start and typing “regedit.” Press Enter to open Registry Editor and give it permission to make changes to your PC.



Allow or Deny Certain Applications in Windows

In the Registry Editor, use the left sidebar to navigate to the following key:
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
 
Allow or Deny Certain Applications in Windows

Next, you’re going to create a new subkey inside the Policies key. Right-click the Policies key, choose New > Key, and then name the new key Explorer .

Allow or Deny Certain Applications in Windows

Next you’re going to create a value inside the new Explorer key. Right-click the Explorer key and choose New > DWORD (32-bit) value. Name the new value DisallowRun .

Allow or Deny Certain Applications in Windows

Double-click the new DisallowRun value to open its properties dialog. Change the value from 0 to 1 in the “Value data” box and then click “OK.”

Allow or Deny Certain Applications in Windows

Back in the main Registry Editor window, you’re now going to create a new subkey inside the Explorer key. Right-click the Explorer key and choose New > Key. Name the new key DisallowRun , just like the value you already created.

Allow or Deny Certain Applications for users in Windows

Now, it’s time to start adding apps you want to block. You’ll do this by creating a new string value inside the DisallowRun key for each app you want to block. Right-click the DisallowRun value and then choose New > String Value. You’ll be naming these values with simple numbers, so name the first value you create “1.”

Allow or Deny Certain Applications in Windows

Double-click the new value to open its property dialog, type the name of the executable you want to block into the “Value data” box (e.g., notepad.exe ), and then click “OK.”

Allow or Deny Certain Applications in Windows

Repeat this process, naming the second string value “2” and the third “3” and so on, and then adding the executable file names you want to block to each value.


When you’re done, you can restart Windows, log onto that user account, and then test things by trying to run one of those apps. You should see a “Restrictions” window pop-up letting you know that you can’t run the app.

Allow or Deny Certain Applications in Windows

You’ll need to repeat this process for each user account for which you need to block apps. Though, if you’re blocking the same apps for multiple user accounts, you could always create your own Registry hack by exporting the DisallowRun key after you’ve configured the first user account and then importing it after logging onto to each subsequent account.

If you want to edit the list of blocked apps, just return to the DisallowRun key and make the changes you want. If you want to restore access to all apps, you can either delete the wholeExplorer key you created–along with DisallowRun  subkey and all the values. Or you could just go back and change the value of the DisallowRun value you created from 1 back to 0, effectively turning off app blocking while leaving the list of apps in place should you want to turn it on again in the future.

 

Block Only Certain Apps Through the Registry

Restricting users to running only certain apps in the Registry follows almost exactly the same procedure as blocking specific apps. You’ll again need to log on to Windows using user account you want to change. Fire up Registry Editor and then head to the following key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies

Right-click the Policies key, choose New > Key, and then name the new key Explorer .


Next you’re going to create a value inside the new Explorer key. Right-click the Explorer key and choose New > DWORD (32-bit) value. Name the new value RestrictRun .


Double-click the new RestrictRun value to open its properties dialog. Change the value from 0 to 1 in the “Value data” box and then click “OK.”


Back in the main Registry Editor window, you’re now going to create a new subkey inside the Explorer key. Right-click the Explorer key and choose New > Key. Name the new key RestrictRun , just like the value you already created.


Now, you’ll add apps to which the user is allowed access. Create a new string value inside the RestrictRun key for each app you want to block. Right-click the RestrictRun value and then choose New > String Value. You’ll be naming these values with simple numbers, so name the first value you create “1.”


Double-click the new value to open its property dialog, type the name of the executable you want to block into the “Value data” box (e.g., notepad.exe ), and then click “OK.”


Repeat this process, naming the values “2,” “3,” and so on, and then adding the executable file names you want the user to be able to run to each value.


When you’re done, restart Windows, log into that user account again, and test your settings. You should only be able to run apps to which you explicitly allowed access. You’ll need to repeat the process with each user account for which you want to restrict apps or create your own Registry hack you can use to apply settings to each user more quickly.

To reverse your changes, you can delete the Explorer key you created (along with the RestrictRun subkey and all values) or you can set that RestrictRun value you created back to 0, turning off restricted access.

 

Pro and Enterprise Users: Block or Restrict Apps with the Local Group Policy Editor

If you use the Pro or Enterprise version of Windows, blocking or restricting apps can be a little easier because you can use the Local Group Policy Editor to do the job. One big advantage is that you can apply policy settings to other users–or even groups of users–without having to log in as each user to make the changes the way you do when making these changes with Registry Editor.

The caveat here is that you’ll need to do a little extra setup by first creating a policy object for those users. You should also be aware that group policy is a pretty powerful tool, so it’s worth taking some time to learn what it can do. Also, if you’re on a company network, do everyone a favor and check with your admin first. If your work computer is part of a domain, it’s also likely that it’s part of a domain group policy that will supersede the local group policy, anyway.

The process for allowing or restricting apps with the Local Group Policy Editor is almost identical, so we’re going to show you how to restrict users to only running certain apps here and just point out the differences. Start by finding the MSC file you created for controlling policies for those particular users. Double-click to open it and allow it to make changes to your PC. In this example, we’re using one we created for applying policy to all non-administrative user accounts.

In the Group Policy window for those users, on the left-hand side, drill down to User Configuration > Administrative Templates > System. On the right, find the “Run only specified Windows applications” setting and double-click it to open its properties dialog. If you want to block specific applications rather than restricting them, you would open the “Don’t run specified Windows applications” setting instead.



In the properties window that opens, click the “Enabled” option and then click the “Show” button.


In the “Show Contents” window, click each line in the list and type the name of the excecutable you want users to be able to run (or the name of apps you want to block if that’s what you’re doing instead). When you’re done building your list, click “OK.”







You can now exit the Local Group Policy window. To test your changes, sign in with one of the affected user accounts and try to launch an app to which the user should not have access. Instead of launching the app, you should see an error message.

 

If you want to disable your changes, just head back into the Local Group Policy editor by double-clicking your MSC file again. This time, change the “Run only specified Windows applications” or “Don’t run specified Windows applications” options to “Disabled” or “Not Configured.” This will turn the setting off entirely. It will also reset your list of apps, so if you want to turn it on again, you’ll need to retype that list.

Post a Comment

 
TECH SUPPORT © 2012 - Designed by INFOSBIRD