SEARCH

How-To Geek

Allow Users To Run Only Specified Programs in Windows

If you have a shared or public computer you might want to allow users to use only specified programs. Today we take a look at a setting in Local Group Policy that allows you to set only specified programs to run.

Note: This process uses Local Group Policy Editor which is not available in Home versions of Windows 7 or 8.

First click on Start and enter gpedit.msc into the search box and hit Enter.

gpedit_start

Navigate to User Configuration \ Administrative Templates \ System. Then under Setting scroll down and double click on Run only specified Windows applications.

1spec

Set it to Enabled, then under the Options section click on the Show button next to List of allowed applications.

4spec

A Show Contents dialog comes up where you can type in the apps you want to allow users to run. When finished with the list, click OK then close out of Local Group Policy Editor.

5spc

If a user tries to access an application that is not on the specified list they will receive the following error message.

6spec

This is a nice feature for limiting what programs users can or cannot access on the computer.

Lowell Heddings, better known online as the How-To Geek, spends all his free time bringing you fresh geekery on a daily basis. You can follow him on if you'd like.

  • Published 01/6/10

Comments (29)

  1. Wander

    This isnt really safe, cause windows only checks the filename
    If you allow firefox.exe, someone can still download any file and rename it firefox.exe and use it

  2. curti

    If a user renamed a restricted application to one on the approved list it would allow them to execute it.

  3. Ze_one

    One question. In the example above, if you don’t put mmc.exe in the list, how can you modify the settings after?

  4. Tarun

    You can also do this in the parental controls, which is in both Vista and 7

  5. insecure

    FYI, not really safe at all. From the description in the dialog:

    This setting only prevents users from running programs that are started by the Windows Explorer process. It does not prevent users from running programs such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt, Cmd.exe, this setting does not prevent them from starting programs in the command window that they are not permitted to start by using Windows Explorer.

    I would assume this means a launcher program (Launchy or Executor for example) would also bypass the restrictions.

  6. ebeau02

    Windows 7 has a better feature called AppLocker. This replaces Software Restriction Policies for Xp and Vista. With AppLocker you can have it scan your existing Program Files directory and list which applications you would allow or deny. You also can tell it which applications work based upon file name, location or signature. That way somone can’t simply rename your program and use it. AppLocker also sets default permissions for the OS and the Admin so you don’t lock or prevent yourself from getting to the apps while your guest or user can’t.

  7. Jeremy

    Interesting, but what I really want is a way to get Windows to remember my choices for programs that need to run until they change. Why should I have to click “allow” every time it runs?

  8. Sa YongJa

    I mistakenly applied run only allowed windows application in Group policy to
    run only winword.exe so now i cant i cant open any thing els. i just want
    to remove this restriction from my computer but i cant open GPEDIT.MCS
    Please Help Me to solve this problem.

  9. jake

    i did this and now stuff wont open i get that error message HOW DO I STOP THIS? OR REVERSE IT?

  10. Sa YongJa

    I Resolved my Problem

    1. First Rename folder “GroupPolicy” from C:\WINDOWS\system32 to “GroupPolicy.old”

    2. Then copy and paste another “GroupPolicy” folder from another normal Windows 7 PC.

  11. abhishek

    is there any thing like we can block specific programs on with the executable name, and what if the user runs it by changing the name of the executable ?

  12. Azam

    Ok so this will restrict applications that any user can run. I wonder doesn’t the Add/Remove programs in Control panel do the same thing? I mean seriously if you don’t want a program to run, don’t instal it. Unless this is purely for the programs that come built into Windows.

    The reason why I say this is because there is no mention of any ACL. i.e. there is no show of a ‘per user’ restriction. It looks like this is a ‘blanket restriction’ and thats why Add/Remove works better I think.

  13. bogdan

    i have same problem.i enabled “run only specified windows aplications” and now i can’t open nothing.i have windows XP…please somebody help me…what can i do?

  14. clay

    I can only echo the comments above, and strongly suggest NOT to follow the advice given in this article. I locked myself out of my computer, and could not run anything (including gpedit.msc). After a lot of messing about I finally managed to restore my system, but it was messy and very frustrating!

  15. Guymar Dudikoff

    This is the long, scenic way of doing it, save yourself a headache and just download this

    Microsoft Steady State

    http://www.microsoft.com/downloads/details.aspx?familyid=d077a52d-93e9-4b02-bd95-9d770ccdb431&displaylang=en

    I locked down a public kiosk with it in ten minutes, had to play with the settings a little to allow access just to one website but other than that it was easy

  16. Shahzad

    Its a very unsafe way. you will not be able to run any program except you given. u must also allow gpedit.msc in allow program list or if you have already messed with your computer. you have a simple way to remove these restrictions
    1. Rename folder c:\windows\system32\grouppolicy to groupPolicy.old
    2. make a new blank folder in System32 with the name GroupPolicy and crete subfolders User and Machine
    3. log-off and login in again
    you have full access again
    Cheers
    Shahzad

  17. MHB

    is there anyway to appy this setting to particular users rather to apply on current user

  18. comy

    Yep, but Run as Administrator still Works even for restricted users :((

  19. Hicham

    Please help me and thank you
    I can no longer returned to the original
    I could not open gpedit.msc

  20. Hicham

    ok
    I have the solution to disable this feature
    go to “démarrer” > “Exécuter ” and Paste these words %SystemRoot%\System32\GroupPolicy
    Then delete all the files
    Finally, restart the system
    Good luck

  21. Pheww

    Start Run” and Paste these words %SystemRoot%\System32\GroupPolicy
    Then delete all the files
    Finally, restart the system
    Good luck

    THANKSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS Thort i was a gonna for a second worked a treat!!!

  22. Ohnoes

    Well, I did this, but I have no access to run, or anything. I’m completely locked out. D”: Anyway to fix this?

  23. bocaj

    is there any reverse of it ?
    please help me .
    i already did all what are being written above but then no effect .

  24. carl

    bocaj,

    After deleting the files under GroupPolicy you need to shut it down all the way and then start it up again. Should work. Good luck. In my opinion if a group policy locks out the administrator what the hec good is it.

  25. John

    Re:
    curti

    If a user renamed a restricted application to one on the approved list it would allow them to execute it.

    —-

    Oh yeah! that is crap and useless then. However, my only interest in using the local policy manager was to restrict applications (no games, prob no net, etc) in a user account called “work” lol, so I can focus nad be more productive in that account haha.

    So far it works really really well.

  26. Alwyn

    Now what would be REALLY useful is if you can specify time segments with this.

  27. Berg

    I did this while I was on administrator account, now I don’t even have permission to open programs while i’m logged in with admin account.

    Is there any way for me to fix this problem? or beter said is there any way for me to acces Local Group Policy Editor again?

    I am not allowed to run any commands, while i’m admin, and most solutions goes through “Run” but i don’t have that option anymore since I keep getting the error: This operation has been cancelled due to restrictions in effect on this computer. Please contact your system adminstrator.

  28. JP

    PHEWW I LOVE YOU!!! YOUR STEPS ABOVE WORKED! THANK YOU!!’

  29. Solutions

    PHEWW & Hicham your solution just worked fine thank you. I had to figure it out that GroupPolicy folder is actually a HIDDEN FOLDER in system32. Thank you.

Enter Your Email Here to Get Access for Free:

Go check your email!