Setting Program Privileges

[Nathan]

Can anyone tell me if it's possible in Windows 2000 Pro.
using administrator privileges to deny certain users the
ability to access any but a small number of programs? We
have a lab computer that we recently set up, but we would
like some of the users to only have access to programs
that they need (e.g. IE, Word, etc.). Anyone know how to
set this up?

Thanks in advance.

 

[Steven L Umbach]

There are a couple of ways. First a user needs to have proper ntfs permissions to
execute a program. By giving a user deny or no [implicit deny] permissions to the
folder/executable, then they will not be able to run the program. Be careful with
deny permissions, as administrators are also members of the everyone and users group.
Keep in mind that event though a user can not execute Internet Explorer, they may
still be able to browse the internet various other ways on the computer such as
through Explorer or even url links in Word,etc. Ntfs permisions are accessable by
selecting file/folder properties and then choosing security, but only if the drive
volume has been formatted with ntfs instead of fat32.

Another way to restrict users is using Group Policy [via gpedit.msc on local
computer] to not run certain applications. But if a user can rename an executable,
they can work around it. Between this and ntfs permissions, you can reasonably
control what a user can run on a computer if they are only members of the users group
and not administrators or power users. A skilled malicious user could use methods to
work around these restrictions however. --- Steve

http://www.windowsitlibrary.com/Content/592/1.html#1
http://support.microsoft.com/default.aspx?scid=kb;en-us;323525