James- I would try using a Software Restriction Policy hash rule to block this exe. Using that Admin. Templates policy below is going to be incomplete, because it only blocks certain types of entries into command.com. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of James F. Prudente Sent: Monday, November 17, 2008 7:52 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Can't block command.com? Hi All, Command.com is blocked via "Don't run specified Windows applications," and sure enough that works properly if a user tries to run the file directly. However, if they put command.com in a batch file, and then run that batch file, they can get to a command prompt. "Prevent access to the command prompt" is enabled, and as best I can tell, I've got things locked down as far as possible. Is there something I'm missing? There are a lot of sites out that that seem to indicate it's not possible to block this. Seems odd though. Thanks, James James F. Prudente Network & Systems Coordinator Islip Public Schools 215 Main Street Islip, NY 11751