I use NTFS file permissions propagated by GPO to protect applications. I also use login scripts to manipulate the users start menu and desktop based on group membership. So for a "protected" application the login script checks with ismember to find out if the icons should be copied to the users profile, if not it attempts to delete them. Then using a Group Policy attached to the termserver OU -> computer -> windows settings -> Security Settings -> File System, I create and replace the permissions on the directory that holds the executables to prevent access unless they are a member of that applications assigned "group" (obviously the same one that ismember is checking). I usually do it with entire folders, but in office's case since there are so many shared components, you might think about doing it just for the primary executables. The beauty of using GPO's is that I can change it at will, (don't have to wait for a re-image), and it affects as many termserves as are in the OU where you have the GPO linked without manually setting each one. -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Adam.Baum@xxxxxxxxxxxxxx Sent: Monday, November 07, 2005 12:04 PM To: thin@xxxxxxxxxxxxx Cc: thin@xxxxxxxxxxxxx; thin-bounce@xxxxxxxxxxxxx Subject: [THIN] Re: Restricting users from applications Correct. I have to prevent the "restricted" apps from being accessed by any means (explorer navigation, embedded links, creating new files with .doc, .xls and then clicking on them, etc). Basically, MS is now charging an extra $100+ for every telecommuter to access Office via a terminal session. That's ontop of the Windows CAL and the TS CAL. Doesn't matter if the user has a legit copy of Office on his home PC and has Office on his work PC. adam Jeff Pitsch <jepitsch@xxxxxxx om> To Sent by: thin@xxxxxxxxxxxxx thin-bounce@freel cc ists.org Subject [THIN] Re: Restricting users from 11/07/2005 12:35 applications PM Please respond to thin@xxxxxxxxxxxx g Unfortunately he wants to make sure that the user can't start the programs even from another. At least that's how I understand it. for example, if you have outlook open, you can't open a word attachment because word is restricted if your coming in over the internet. Jeff Pitsch On 11/7/05, Walter, Chris <christopher.walter@xxxxxxx > wrote: Setup a load evaluator based on IP range and deny them access if they are using a specific IP range. Chris -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto: thin-bounce@xxxxxxxxxxxxx] On Behalf Of Adam.Baum@xxxxxxxxxxxxxx Sent: Monday, November 07, 2005 12:21 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Restricting users from applications HI All, As we move more and more into a thinclient solution here, I have been asked if there is a way to keep someone from accessing certain applications when telecommuting. Here some background info: While using a City supplied pc (mainly internal users), access to Microsoft applications are covered under our EA. When using the same servers from home, the access to apps are not covered under the EA. So..I need to find a way to prevent users coming through MSAM from accessing Microsoft applications. Internally, we use PNAgent/WI. My intial thought was to not publish the apps through MSAM. Then I thought about embedded links. Even if the app isn't published, clicking on an embedded document (or link to a .doc, xls, etc) will launch the app. Is there a way to set publishing/access rules based on your connection (MSAM vs PNagent)? Any other methods accomplishing this task? adam ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************ ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************ ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************ ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************