Preventing Standard Users from Running Per-user Applications
Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012
This topic for the IT professional provides instructions how to prevent standard users from running user-installed applications in Windows Server 2012, Windows Server 2008 R2, Windows 8, and Windows 7.
Many organizations are implementing standard user policies, which allow users to log on to their computers only as a standard user. With Windows Vista®, this task became easier. However, more independent software vendors (ISVs) are creating per-user applications that do not require administrative rights to be installed and that are installed and run in the user profile folder. As a result, standard users can install many applications and circumvent the application lockdown policy. With AppLocker, you can prevent users from installing and running per-user applications.
To prevent standard users from running per-user applications
To open the Local Security Policy MMC snap-in, click Start, type secpol.msc, and then press ENTER.
In the console tree, double-click Application Control Policies, and then double-click AppLocker.
Right-click Executable Rules, and then click Create Default Rules.
Three rules are created and listed in the MMC details pane:
Allow all users to run files in the default Program Files folder.
Allow all users to run files in the Windows folder.
Allow members of the built-in Administrators group to run all files.
When you create these three rules, you automatically prevent all non-administrator users from running programs that are installed in their user profile folder.
Because AppLocker default rules deny applications outside of the Windows and Program Files folders, some legitimate enterprise applications may not run. For example, some line-of-business applications are installed in non-standard locations, such as the root of the active drive (C:). You must create additional allow rules for these applications to run.