Prevent user from running program?

[Guest]

This is a 2-part question but I'd appreciate any help/ideas I can get:

1) I was wondering how an administrator can prevent a power user from
running a certain program if it is NOT an executable? Specifically I want to
block them from running a VBA program (has an extension of .dvb).

2) On a related note, how can I block running a program if it is in one
location, but they CAN run the file if in a different location? I'm trying
to prevent end users from running a program on the pc if it is not in the
server location that I specify.

THANKS IN ADVANCE

 

[Steven L Umbach]

There are two possible ways. You can manage the NTFS permissions on the
executable so that the user/group does not have execute permission either
explicitly or by group membership to it or when using XP Pro you can use
Software Restriction Policies with path and hash rules being the most common
way to manage access. The links below explain more. SRP however can not be
applied to a group. It by default applies to all users other than local
administrators but is much more powerful than NTFS permissions because power
users have write access to many areas of the operating system and may be
able to install another copy of the executable where SRP can still prevent
access if configured correctly. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;308418
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx