AppLocker is a flexible, easily administered tool in Windows 7 and Windows Server 2008 that lets IT admins specify exactly what is and isn’t allowed to run on their Windows 7 and Server 2008 computers. It’s basically like the Software Restriction Policies of Windows Server 2003.
AppLocker allows administrators to control the following types of applications: executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.msi and .msp), and DLL files (.dll and .ocx).
It practically covers all known executable file types, which is good since we would not want non-admin users to easily bypass this controlling mechanism.
To access the AppLocker admin interface open the Local Group Policy Editor by running gpedit.msc file in the search box.
To create an executable rule, look for the Executable Rules under the Application Control Policies. Right click this item then choose “create new rule”.
The wizard for creating new rules will open. Click next after reading the message on the first page.
The next page will let you choose between allow and deny. An allow action permits while a deny action prevents. In this example I will show you how to deny a certain exe file from running so choose deny then click select to choose the users that will be affected by this rule.
In the select user or group dialog, enter the username or group. In the example below I entered “guests”. You may enter any valid account name that exists on your Windows accounts. Click OK once done.
Next choose a type of primary condition to use. In the example below I chose “Publisher” so I can set a rule based on the software publisher’s information. This, I think is the better way to deny programs than “path” based conditions since paths of executables could easily be changed.
Next browse for the executable file that you want to be denied by guest users. In the example below I entered the path to Yahoo! Messenger. The Publisher was instantly recognized automatically. This is a nice touch from the developers as user will not need to manually feed the publisher’s name on the rule.
On the last screen enter a descriptive name for the rule. Click Create to create the rule.
You should see the rule appear under the executables rule.
That’s it! With the rule being active, Windows guest accounts will not be able run Yahoo! Messenger on your computer.
Ben Carigtan shows you how it’s done.
MOST COMMENTED
Fix “Windows was unable to find a certificate to log you on to the network”
Share a Printer from XP to Windows 7
99 ways to Make Your Computer Blazingly Fast
Windows 7 File Search Indexing Options