RestrictRun

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Description

The RestrictRun subkey contains a list of programs that restricted users can still run. This list is used only when the value of the RestrictRun entry is 1.

This subkey stores the contents of the Show Contents box in the Run only allowed Windows applications Group Policy. Group Policy adds this subkey and its entries to the registry when you enable the policy. If you disable the policy or set it to Not configured, Group Policy deletes this subkey and its entries from the registry.

The entries in this subkey list all of the Windows programs that affected users can run. If a program is not represented by an entry in this subkey, users cannot run the program. If no entries appear in this subkey, users cannot run any programs that Windows Explorer starts.

Each entry in this subkey represents a Windows program, such as Notepad, and contains the name of the executable file for the program, such as Notepad.exe. The number that names this entry represents only the order in which the programs are entered. It does not affect the feature.

These entries have the following format. The values of all entries must include the file name extension of the file:

Entry name

Data type

Value

Item-number

REG_SZ

Name of executable file

For example, the following entry permits restricted users to use Microsoft Word (Winword.exe):

Entry name

Data type

Value

1

REG_SZ

Winword.exe

Change method

To change the value of this entry, use Group Policy. This entry corresponds to the Run only allowed Windows applications Group Policy (User Configuration\Administrative Templates\System).

Note Image Note

There is also a RestrictRun entry, which enables the Run only allowed Windows applications policy. If the RestrictRun entry is not in the registry or if its value is 0, the policy is not enabled, and the system ignores the RestrictRun subkey and its entries.

This entry prevents users from running only programs that are started by Windows Explorer. It does not prevent users from running programs such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt, Cmd.exe, this policy does not prevent them from starting programs in the command window that they are not permitted to start by using Windows Explorer.

The Run only allowed Windows applications policy takes precedence over the Don't run specified Windows applications policy. If both policies apply to the same user, the Don't run specified Windows applications policy is ignored.

Tip Image Tip

For detailed information about particular Group Policy settings, see the Windows 2000 Resource Kit Group Policy Reference.

For general information about Group Policy, see Windows 2000 Server Help or Windows 2000 Professional Help.

To see a table associating policies with their corresponding registry entries, see the Group Policy Registry Table .

Caution Image Caution

If you are the person who applies Group Policy, do not apply this policy to yourself. If this policy is applied too broadly, it can prevent administrators from running Group Policy or the registry editors. As a result, once applied, you can change this policy only by reinstalling Windows 2000.

Related Entries

Page Image

DisallowRun (subkey)

Page Image

RestrictRun (subkey)