NoteHKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
The RestrictRun subkey contains a list of programs that restricted users can still run. This list is used only when the value of the RestrictRun entry is 1.
This subkey stores the contents of the Show Contents box in the Run only allowed Windows applications Group Policy. Group Policy adds this subkey and its entries to the registry when you enable the policy. If you disable the policy or set it to Not configured, Group Policy deletes this subkey and its entries from the registry.
The entries in this subkey comprise a complete list of the Windows programs which affected users can run. If a program is not represented by an entry in this subkey, users cannot run the program. If no entries appear in this subkey, users cannot run any programs started by Windows Explorer.
Each entry in this subkey represents a Windows program, such as Notepad, and contains the name of the executable file for the program, such as Notepad.exe. The number that names this entry only represents the order in which the programs are entered. It does not affect the feature.
These entries have the following format. All entries must include the file name extension of the file.
| Item-number | REG_SZ | Name of executable file |
For example, the following entry permits restricted users to use Microsoft Word (Winword.exe).
| 1 | REG_SZ | Winword.exe |
To change the value of this entry, use Group Policy. This entry corresponds to the Run only allowed Windows applications policy (User Configuration\Administrative Templates\System).
Note
There is also a RestrictRun entry which enables the Run only allowed Windows applications policy. If the RestrictRun entry is not in the registry, or if its value is 0, the policy is not enabled, and the system ignores the RestrictRun subkey and its entries.
This entry only prevents users from running programs that are started by the Windows Explorer process. It does not prevent users from running programs such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt, Cmd.exe, this policy does not prevent them from starting programs in the command window that they are not permitted to start by using Windows Explorer.
The Run only allowed Windows applications policy takes precedence over the Don't run specified Windows applications policy. If both policies are applied to the same user, the Run only allowed Windows applications policy is implemented and the Don't run specified Windows applications policy is ignored.
Tip
For detailed information about particular Group Policy settings, see the Group Policy Reference (Gp.chm) on the Windows 2000 Resource Kit companion CD.
For general information about Group Policy, see Group Policy in Windows 2000 Help.
To see a table associating policies with their corresponding registry entries, see the Group Policy Reference Table.
Caution
If you are the person who applies Group Policy, do not apply this policy to yourself. If applied too broadly, this policy can prevent administrators from running Group Policy or the registry editors. As a result, once applied, you cannot change this policy except by reinstalling Windows 2000.
Related Entries
