Don't forget- command.com and cmd.exe are completely different executables so you need to catch them both if you specify the names and maybe the block the command prompt is only catching one? Also-if you use software restriction policy hash rules (which can work very well) you will need to add in each version of the file. For example: cmd.exe from XP SP2 is different than cmd.exe from Vista or server 2003/2008-so get one copy of each file when you are defining the executables- its quite easy. Locking down apps is always tough- are you doing it for stability or security? Omar Droubi omar@xxxxxxxxxxxxxxxxxxxxx<mailto:omar@xxxxxxxxxxxxxxxxxxxxx> 650-726-0300 ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia [darren@xxxxxxxxxx] Sent: Monday, November 17, 2008 08:34 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Can't block command.com? James- I would try using a Software Restriction Policy hash rule to block this exe. Using that Admin. Templates policy below is going to be incomplete, because it only blocks certain types of entries into command.com. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of James F. Prudente Sent: Monday, November 17, 2008 7:52 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Can't block command.com? Hi All, Command.com is blocked via “Don’t run specified Windows applications,” and sure enough that works properly if a user tries to run the file directly. However, if they put command.com in a batch file, and then run that batch file, they can get to a command prompt. “Prevent access to the command prompt” is enabled, and as best I can tell, I’ve got things locked down as far as possible. Is there something I’m missing? There are a lot of sites out that that seem to indicate it’s not possible to block this. Seems odd though. Thanks, James James F. Prudente Network & Systems Coordinator Islip Public Schools 215 Main Street Islip, NY 11751