I do what you are talking about by redirecting the start menu to a share with GPO. Then each item in the start menu has NTFS permissions that only one app group has access to. So when a user logs on they only can click on the app they have access to. Then you just drop them in the groups for each app you want them to have access to. Even Internet explorer they can't access unless I drop them into the Internet explorer group. Matthew Shrewsbury, MCSE+Internet MCSE 2000 CCA Server+ Network Manager -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Luchette, Jon Sent: Tuesday, March 28, 2006 4:02 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] OT: Controlling Desktop Access Hello, I am trying to find the best way to control which users have access to which applications via the Published Desktop as I rebuild my Citrix farm. I am trying to use Group Policies to accomplish this, but need some direction/advice. Ideally I would have it setup by group, so that if a user was in Group A, somehow I would give him access to app A, B, and C via the Published Desktop, and if another user was in Group B, I would give him access to app D, E, and F, via the same desktop. How do you all currently handle this particular piece of administration? Thanks! _______________________________________________ Jon Luchette Emerson Hospital Technology Specialist III Work: 978-287-3369 Cell: 978-360-1379 jluchette@xxxxxxxxxxxxxxx _______________________________________________