SEARCH

How-To Geek

Restrict Access to Programs with AppLocker in Windows 7

If you share a computer and don’t want other users accessing certain applications, there is a new feature in Windows 7 that allows you to block them. Today we take a quick look at restricting what programs other users can access using AppLocker.

Note: AppLocker is only available in Ultimate and Enterprise versions of Windows 7.

Using AppLocker 

To access Group Policy Editor and create rules in AppLocker you’ll need to be logged in as Administrator. Click on Start and type gpedit.msc into the search box and hit Enter.

1-app

Under Local Computer Policy go to Computer Configuration \ Windows Settings \ Security Settings \ Application Control Policies \ AppLocker.

2-app

Now you will see the overall controls for the applications.

3-app

Under Configure Rule Enforcement click on the Configure rule enforcement link.

1-applock

Now under AppLocker Properties check the boxes next to Configured under Executable rules then click Ok.

1-lock 

Blocking Apps from Running

In this scenario, Jack wastes time playing games like Minesweeper and Solitaire when he should be doing his homework, so we are going to block all of the games. After completing the steps above, under the Overview section click on Executable Rules.

3-applock

Since this is your first time accessing AppLocker, there will be no rules listed. Right-click and select Create New Ruleā€¦

2-lock

This opens up the Create Executable Rules wizard and you can select not to show the introduction screen at start up for the next time you access it.

9-applocker

Select Permissions under Action select Deny.

3-lock 

Add the user you want to block, in this case it’s Jack.

4-lock

After you’ve selected the deny action and selected the user continue to the next step.

5-lock

In Conditions you can select from Publisher, Path or File hash. We don’t want Jack to have access to any of the games. so we will select Path.

6-lock

Click on Browse Folders and select the Microsoft Games folder.

7-lock

In the next screen you could add Exceptions like allowing certain files, but because we are blocking the entire games directory we’ll skip to the next screen.

8-lock

Here you can add a description to the rule so you can keep track of them is there are several rules configured. When everything looks right click on Create.

9-lock

A message pops up saying default rules haven’t been created yet. It is important to make sure they are created so click Yes to this message.

10-lock

Now you will see the default rules and the new one you created showing Jack is denied access to the Microsoft Games directory.

11-lock

After creating the rule make sure and go into services and make Application Identification is started and that it’s set to automatically start as well otherwise the rules won’t work. By default this service is not started so you will need to enable it.

sshot-2009-11-08-[22-52-10]

Now, when Jack logs into his user account and tries to access the games he will only see the following message. Only an Administrator can go in and change the rule.

sshot-10000

Conclusion

Use caution when configuring the rules and only start the Application Identity service after everything looks right. Otherwise you have the potential of locking yourself out of all applications including AppLocker.AppLocker is a powerful feature included in Windows 7 and we showed you a basic rule so you can get an idea of how it works. In the future we’ll take a look at more complex tasks to accomplish and gain tight control over what programs each user is able to access.

Brian Burgess worked in IT for 10 years before pursuing his passion for writing. He's been a tech blogger and journalist for the past seven years, and can be found on his about me page or Google+

  • Published 11/12/09

Comments (10)

  1. bet@tester

    I wanna make a little correction:

    Applocker is also available in Windows 7 Professional.

    Nice Tutorial, by the way

  2. sid

    awesome tut great one with screen shots

  3. arbwar

    i tried to restrict acess to real player for a standard users as a test. It worked but i can’t no longer open chrome with my administrator account. This program is blocked by group policy messages appears.
    Why? I restricted access to real player not for chrome and i’m on my admin account.

  4. brandon

    arbwar.. same problem for me.. I don’t understand.. certain applications say they are blocked since I started this.

  5. M

    PLEASE PLEASE PLEASE instruct users to create a white list for admin first.

    Following these directions you CAN lock out your admin account.

  6. arikah

    it did not work i did’t even have the app locker thing how do we get app locker.

  7. abdul

    how do i remove app locker , i have locked my self out

  8. Ravi

    Sorry Bro this is not working… I am done all these setting but my software still working… !!!
    have you any other trick to block a particular software then pls share
    thanks….!!!

  9. Randall Douglas

    Hey Guys,

    Another, in my opinion easier way, is to use the Microsoft Family Safety feature. I used this for my kids, but the concept can be applied to any logon. It searches for installed apps and even picks up standalone apps too I believe.

    You can then restrict access. You can even set up time rules for logon and many more features.

    These only affect the selected user account.

    One caveat – you must install family safety on your PC from Microsoft and you must have a WIndows Live ID (a hotmaill account would automatically give you one).

    Randall

  10. PanosPanos

    Boot the computer is Safe Mode.
    Use local admin.

    You can then access the application identity service from the services.
    Disable it.

    Thanks

Enter Your Email Here to Get Access for Free:

Go check your email!