Windows 7 includes a feature that you can use to prevent someone from installing software on your computer or running applications you would rather they not use. The AppLocker lets you specify the applications that users can run on your computer. More specifically, AppLocker is designed to:
- Prevent malicious software and unsupported applications from affecting your computer
- Prevent users from installing and running unauthorized applications
- Implement policies to meet security or compliance requirements
You can find AppLocker and its configurable settings within the Application Control Policies. Simply launch GPEDIT.MSC and navigate to Computer Configuration | Windows Settings | Security Settings | Application Control Policies | AppLocker.
One application for AppLocker is to use it to prevent users from installing per-user applications, thereby bypassing an application lockdown policy. To accomplish, configure AppLocker as described below:
- Within the Group Policy Editor, navigate to the Application Control Policies.
- Double click AppLocker.
- Right click Executable Rules and click Create Default Rules. Doing so creates the following rule:
- Allow all users to run files in the default Program Files folder
- Allow all users to run files in the Windows folder
- Allow members of the built-in Administrators group to run all files
These rules automatically prevent all non-administrative users from running programs installed within their user profile folders.
[awsbullet:microsoft windows 7 tips]