I will look into it further then, especially if it has been found to be that way, I was going only by the documentation (should know better). I don't know if it makes a difference but as you have said we do have the command prompt blocked entirely and we are only running 2000 or 2003 Ts boxes and XP SP1 clients (other than CE embedded thin). Will they still find a way around that? I am curious now. I am still going to try to get Appsec to work. _____ From: Jeff Durbin [mailto:techlists@xxxxxxxxxxxxx] Sent: Wednesday, December 03, 2003 8:02 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Only allow specified apps. I think you'll find that using "Run only" by itself will be inadequate. All it does is require that an app that's executed from Explorer (and only from Explorer, not a DOS box) be listed in the "run only" list. So, for example, let's say that you allow winword.exe. All I have to do is rename my CMD.EXE to winword.exe, and it will run. (I know, there's a policy setting that can stop CMD, but that doesn't stop *NT4's CMD*.) Used by itself, it's pretty pathetic. AppSec blocks all apps except the ones listed in it's apps list, and those apps don't have to be on the TS itself. I've allowed apps on a network share using AppSec. The beauty of it is that it will only allow the apps *at the specified path* run. Therefore, you allow only Winword.exe in your "run only" list. Then, you tell AppSec that non-admins can run c:\program files\Microsoft Office\Office10\winword.exe. With that combination, Winword, at the specified location, is the only app that a non-admin will run. I promise you that if you use "run only" by itself, you'll still have the problem. Add AppSec and you'll solve it. JD -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Robert Barrett Sent: 4 December 2003 11:08 AM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Re: Only allow specified apps. Thanks. I have it running using "Run only...", not sure what I was doing wrong the first time but it works now. I decided against Appsec because it apparently requires that the app being blocked reside on the TS box, most of these kids run games and stuff from their home directory. _____ From: Jeff Durbin [mailto:techlists@xxxxxxxxxxxxx] Sent: Wednesday, December 03, 2003 12:04 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Only allow specified apps. I've used "Run only allowed windows apps" and AppSec many times. This combination can give you true control over what apps a user can run. Be aware that the list of apps referenced in the URL is not required. For example, USRLOGON.CMD isn't required for USRLOGON.CMD to run during login. Also, when you first run AppSec, it has a list of apps already loaded. I normally delete them all and start adding only the application executables that I need. I normally add CTXLOAD.EXE as well, but that's only because it was required to fix a failure of the clipboard mapping mechanism the first time I tried using AppSec. Of course, you have to add the names of any executables referenced during login, but that would only be if you were using Kix or VB login scripts, for example. Jeff Durbin -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Kenzig http://thethin.net Sent: 2 December 2003 5:10 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Only allow specified apps. By the way when using appsec use the dos name for specifying file location if you have problems. Jim -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Jim Kenzig http://thethin.net Sent: Monday, December 01, 2003 11:06 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Only allow specified apps. Use appsec.exe and see http://thethin.net/archive3.cfm?id=81940 <http://thethin.net/archive3.cfm?id=81940> for a list. Jim Kenzig http://thethin.net <http://thethin.net> http://spamguerilla.com <http://spamguerilla.com> http://www.kenzig.com <http://www.kenzig.com> http://ondemandaccess.com <http://ondemandaccess.com> http://worldofasp.com <http://worldofasp.com> -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Robert Barrett Sent: Monday, December 01, 2003 10:51 AM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Only allow specified apps. Hello all, I am an admin in a school division and anyone else can attest to that comes with a whole bunch of users (high school) playing all sorts of games trying to congest the network to the point of choking. Anyway enough griping, has anyone gotten the GPO setting that only allows certain Windows exe's to run working? I am trying to only allow them to run what is necessary to run for educational purposes, I can make the list myself (of course if someone has a basic list to start I'd take it :-)). If not a GPO does anyone have any other ideas as to how to do this? TIA Robert Barrett MCSE, CCA, A+ Enterprise Administrator Fort Vermilion School Division <http://www.fvsd.ab.ca> http://www.fvsd.ab.ca robertb@xxxxxxxxxx